auto-auth-cli 0.0.1__tar.gz

auto_auth_cli-0.0.1/PKG-INFO

@@ -0,0 +1,298 @@
+Metadata-Version: 2.3
+Name: auto-auth-cli
+Version: 0.0.1
+Summary: Profile-aware auth wrapper for coder agent CLIs
+Keywords: ai,auth,cli,codex,profile
+Author: midodimori
+Author-email: midodimori <midodimori@proton.me>
+License: MIT
+Classifier: Development Status :: 3 - Alpha
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: MacOS
+Classifier: Operating System :: POSIX :: Linux
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Topic :: Software Development
+Classifier: Topic :: System :: Systems Administration
+Requires-Python: >=3.13
+Project-URL: Homepage, https://github.com/midodimori/auto-auth-cli
+Project-URL: Repository, https://github.com/midodimori/auto-auth-cli
+Project-URL: Issues, https://github.com/midodimori/auto-auth-cli/issues
+Project-URL: Changelog, https://github.com/midodimori/auto-auth-cli/blob/main/CHANGELOG.md
+Description-Content-Type: text/markdown
+
+# auto-auth-cli
+
+Profile-aware auth switching for coder agent CLIs.
+
+[![PyPI - Version](https://img.shields.io/pypi/v/auto-auth-cli?logo=pypi&logoColor=white)](https://pypi.org/project/auto-auth-cli/)
+[![PyPI - Downloads](https://img.shields.io/pypi/dm/auto-auth-cli?logo=pypi&logoColor=white)](https://pypi.org/project/auto-auth-cli/)
+[![Python Version](https://img.shields.io/pypi/pyversions/auto-auth-cli?logo=python&logoColor=white)](https://pypi.org/project/auto-auth-cli/)
+[![License](https://img.shields.io/github/license/midodimori/auto-auth-cli)](https://github.com/midodimori/auto-auth-cli/blob/main/LICENSE)
+
+`auto-auth` lets you keep multiple authentication profiles for a supported CLI and launch that CLI with the profile you choose. For Codex, it only replaces:
+
+```text
+~/.codex/auth.json
+```
+
+Everything else in `~/.codex` stays shared across profiles.
+
+## Table of Contents
+
+- [Supported Tools](#supported-tools)
+- [Prerequisites](#prerequisites)
+- [Installation](#installation)
+  - [From PyPI](#from-pypi)
+  - [Quick Try from GitHub](#quick-try-from-github)
+  - [Install from GitHub](#install-from-github)
+  - [From Source](#from-source)
+- [Quick Start](#quick-start)
+- [Usage](#usage)
+  - [Codex](#codex)
+  - [Claude Code](#claude-code)
+- [Stored Files](#stored-files)
+- [Development](#development)
+
+## Supported Tools
+
+| Tool | Status | Command category |
+|------|--------|------------------|
+| Codex | Supported | `auto-auth codex ...` |
+| Claude Code | Planned | Not available yet |
+
+## Prerequisites
+
+- **Python 3.13+** - Required by the package.
+- **[uv](https://docs.astral.sh/uv/)** - Used for installation and local development.
+- **Codex CLI** - Required for the current `codex` category. The `codex` executable must be available in `PATH`.
+
+## Installation
+
+Use `--python 3.13` so uv builds the isolated tool environment with a supported Python version.
+
+### From PyPI
+
+Use this for the latest published release.
+
+**Quick try (no installation):**
+
+```sh
+uvx --python 3.13 --from auto-auth-cli@latest auto-auth codex --status
+```
+
+**Install globally:**
+
+```sh
+uv tool install --python 3.13 auto-auth-cli
+```
+
+Then run from any directory:
+
+```sh
+auto-auth codex --status
+```
+
+> **Upgrading:** Run `uv tool upgrade --python 3.13 auto-auth-cli`.
+
+### Quick Try from GitHub
+
+Run `auto-auth` directly from GitHub without installing it globally:
+
+```sh
+uvx --python 3.13 --from git+https://github.com/midodimori/auto-auth-cli auto-auth codex --status
+```
+
+You can use the same `uvx` form for any Codex command:
+
+```sh
+uvx --python 3.13 --from git+https://github.com/midodimori/auto-auth-cli auto-auth codex --setup
+uvx --python 3.13 --from git+https://github.com/midodimori/auto-auth-cli auto-auth codex --auto
+uvx --python 3.13 --from git+https://github.com/midodimori/auto-auth-cli auto-auth codex --profile you -- -m gpt-5.5
+```
+
+### Install from GitHub
+
+Recommended when you want the latest version from the repository available as a normal command.
+
+```sh
+uv tool install --python 3.13 git+https://github.com/midodimori/auto-auth-cli
+```
+
+Then run from any directory:
+
+```sh
+auto-auth codex --status
+```
+
+> **Upgrading:** Re-run `uv tool install --force --python 3.13 git+https://github.com/midodimori/auto-auth-cli`.
+
+### From Source
+
+```sh
+git clone https://github.com/midodimori/auto-auth-cli.git
+cd auto-auth-cli
+uv sync
+uv run auto-auth codex --status
+```
+
+To install globally from source:
+
+```sh
+uv tool install --python 3.13 --editable .
+```
+
+Then run from any directory:
+
+```sh
+auto-auth codex --status
+```
+
+## Quick Start
+
+Create a Codex profile:
+
+```sh
+auto-auth codex --setup
+```
+
+List saved profiles:
+
+```sh
+auto-auth codex --status
+```
+
+Run Codex with a saved profile:
+
+```sh
+auto-auth codex --profile you@example.com
+```
+
+Run Codex with the first profile that has available quota:
+
+```sh
+auto-auth codex --auto
+```
+
+Pass Codex arguments after `--`:
+
+```sh
+auto-auth codex --profile you -- -m gpt-5.5  # Run Codex with a specific profile and model
+auto-auth codex --auto -- -m gpt-5.5  # Auto-select a profile, then run Codex with a model
+auto-auth codex --auto -- --yolo app  # Auto-select a profile, then run the Codex app in yolo mode
+```
+
+## Usage
+
+The first positional argument is the tool category. Codex is the only supported category today.
+
+```sh
+auto-auth <tool> [OPTIONS] [-- TOOL_ARGS...]
+```
+
+### Codex
+
+#### Create a Profile
+
+```sh
+auto-auth codex --setup
+```
+
+`--setup` runs `codex login` in a temporary Codex home, extracts the account metadata from the generated auth file, and saves it as a reusable profile. It does not overwrite your active `~/.codex/auth.json`.
+
+If setup cannot detect an email or account id, provide a label:
+
+```sh
+auto-auth codex --setup --label work
+```
+
+#### List Profiles
+
+```sh
+auto-auth codex --status
+```
+
+The status output shows the active profile, saved profiles, detected plan type, and active marker when the saved account matches the current `~/.codex/auth.json`.
+
+#### Select a Profile
+
+```sh
+auto-auth codex --profile you@example.com
+```
+
+`--profile` accepts a profile email, profile key, account id, or unique prefix:
+
+```sh
+auto-auth codex --profile you
+```
+
+Before switching, `auto-auth` backs up the current Codex auth file, then installs the selected profile into:
+
+```text
+~/.codex/auth.json
+```
+
+#### Auto-Select a Profile
+
+```sh
+auto-auth codex --auto
+```
+
+`--auto` checks saved profiles and launches Codex with the first account that has available quota. Smaller subscriptions are checked first.
+
+#### Pass Codex Arguments
+
+Put Codex arguments after `--`:
+
+```sh
+auto-auth codex --profile you -- -m gpt-5.5  # Run Codex with a specific profile and model
+auto-auth codex --auto -- -m gpt-5.5  # Auto-select a profile, then run Codex with a model
+auto-auth codex --auto -- --yolo app  # Auto-select a profile, then run the Codex app in yolo mode
+```
+
+The last example runs the Codex app in yolo mode after selecting an available profile.
+
+#### Codex Environment Variables
+
+| Variable | Description | Default |
+|----------|-------------|---------|
+| `CODEX_HOME` | Active Codex config directory | `~/.codex` |
+| `AUTO_AUTH_HOME` | Root directory for saved profiles and backups | `~/.auto-auth` |
+
+### Claude Code
+
+Claude Code support is planned for a future tool category. Until that adapter exists, `auto-auth` only accepts:
+
+```sh
+auto-auth codex ...
+```
+
+## Stored Files
+
+Codex profiles:
+
+```text
+~/.auto-auth/codex/profiles/
+```
+
+Codex auth backups:
+
+```text
+~/.auto-auth/codex/backups/
+```
+
+If `AUTO_AUTH_HOME` is set, those paths move under that directory.
+
+## Development
+
+```sh
+uv sync --all-groups
+uv run pre-commit install
+uv run pre-commit run --all-files
+uv run pytest -q
+uv run ruff check .
+uv run ty check
+```

auto_auth_cli-0.0.1/README.md

@@ -0,0 +1,272 @@
+# auto-auth-cli
+
+Profile-aware auth switching for coder agent CLIs.
+
+[![PyPI - Version](https://img.shields.io/pypi/v/auto-auth-cli?logo=pypi&logoColor=white)](https://pypi.org/project/auto-auth-cli/)
+[![PyPI - Downloads](https://img.shields.io/pypi/dm/auto-auth-cli?logo=pypi&logoColor=white)](https://pypi.org/project/auto-auth-cli/)
+[![Python Version](https://img.shields.io/pypi/pyversions/auto-auth-cli?logo=python&logoColor=white)](https://pypi.org/project/auto-auth-cli/)
+[![License](https://img.shields.io/github/license/midodimori/auto-auth-cli)](https://github.com/midodimori/auto-auth-cli/blob/main/LICENSE)
+
+`auto-auth` lets you keep multiple authentication profiles for a supported CLI and launch that CLI with the profile you choose. For Codex, it only replaces:
+
+```text
+~/.codex/auth.json
+```
+
+Everything else in `~/.codex` stays shared across profiles.
+
+## Table of Contents
+
+- [Supported Tools](#supported-tools)
+- [Prerequisites](#prerequisites)
+- [Installation](#installation)
+  - [From PyPI](#from-pypi)
+  - [Quick Try from GitHub](#quick-try-from-github)
+  - [Install from GitHub](#install-from-github)
+  - [From Source](#from-source)
+- [Quick Start](#quick-start)
+- [Usage](#usage)
+  - [Codex](#codex)
+  - [Claude Code](#claude-code)
+- [Stored Files](#stored-files)
+- [Development](#development)
+
+## Supported Tools
+
+| Tool | Status | Command category |
+|------|--------|------------------|
+| Codex | Supported | `auto-auth codex ...` |
+| Claude Code | Planned | Not available yet |
+
+## Prerequisites
+
+- **Python 3.13+** - Required by the package.
+- **[uv](https://docs.astral.sh/uv/)** - Used for installation and local development.
+- **Codex CLI** - Required for the current `codex` category. The `codex` executable must be available in `PATH`.
+
+## Installation
+
+Use `--python 3.13` so uv builds the isolated tool environment with a supported Python version.
+
+### From PyPI
+
+Use this for the latest published release.
+
+**Quick try (no installation):**
+
+```sh
+uvx --python 3.13 --from auto-auth-cli@latest auto-auth codex --status
+```
+
+**Install globally:**
+
+```sh
+uv tool install --python 3.13 auto-auth-cli
+```
+
+Then run from any directory:
+
+```sh
+auto-auth codex --status
+```
+
+> **Upgrading:** Run `uv tool upgrade --python 3.13 auto-auth-cli`.
+
+### Quick Try from GitHub
+
+Run `auto-auth` directly from GitHub without installing it globally:
+
+```sh
+uvx --python 3.13 --from git+https://github.com/midodimori/auto-auth-cli auto-auth codex --status
+```
+
+You can use the same `uvx` form for any Codex command:
+
+```sh
+uvx --python 3.13 --from git+https://github.com/midodimori/auto-auth-cli auto-auth codex --setup
+uvx --python 3.13 --from git+https://github.com/midodimori/auto-auth-cli auto-auth codex --auto
+uvx --python 3.13 --from git+https://github.com/midodimori/auto-auth-cli auto-auth codex --profile you -- -m gpt-5.5
+```
+
+### Install from GitHub
+
+Recommended when you want the latest version from the repository available as a normal command.
+
+```sh
+uv tool install --python 3.13 git+https://github.com/midodimori/auto-auth-cli
+```
+
+Then run from any directory:
+
+```sh
+auto-auth codex --status
+```
+
+> **Upgrading:** Re-run `uv tool install --force --python 3.13 git+https://github.com/midodimori/auto-auth-cli`.
+
+### From Source
+
+```sh
+git clone https://github.com/midodimori/auto-auth-cli.git
+cd auto-auth-cli
+uv sync
+uv run auto-auth codex --status
+```
+
+To install globally from source:
+
+```sh
+uv tool install --python 3.13 --editable .
+```
+
+Then run from any directory:
+
+```sh
+auto-auth codex --status
+```
+
+## Quick Start
+
+Create a Codex profile:
+
+```sh
+auto-auth codex --setup
+```
+
+List saved profiles:
+
+```sh
+auto-auth codex --status
+```
+
+Run Codex with a saved profile:
+
+```sh
+auto-auth codex --profile you@example.com
+```
+
+Run Codex with the first profile that has available quota:
+
+```sh
+auto-auth codex --auto
+```
+
+Pass Codex arguments after `--`:
+
+```sh
+auto-auth codex --profile you -- -m gpt-5.5  # Run Codex with a specific profile and model
+auto-auth codex --auto -- -m gpt-5.5  # Auto-select a profile, then run Codex with a model
+auto-auth codex --auto -- --yolo app  # Auto-select a profile, then run the Codex app in yolo mode
+```
+
+## Usage
+
+The first positional argument is the tool category. Codex is the only supported category today.
+
+```sh
+auto-auth <tool> [OPTIONS] [-- TOOL_ARGS...]
+```
+
+### Codex
+
+#### Create a Profile
+
+```sh
+auto-auth codex --setup
+```
+
+`--setup` runs `codex login` in a temporary Codex home, extracts the account metadata from the generated auth file, and saves it as a reusable profile. It does not overwrite your active `~/.codex/auth.json`.
+
+If setup cannot detect an email or account id, provide a label:
+
+```sh
+auto-auth codex --setup --label work
+```
+
+#### List Profiles
+
+```sh
+auto-auth codex --status
+```
+
+The status output shows the active profile, saved profiles, detected plan type, and active marker when the saved account matches the current `~/.codex/auth.json`.
+
+#### Select a Profile
+
+```sh
+auto-auth codex --profile you@example.com
+```
+
+`--profile` accepts a profile email, profile key, account id, or unique prefix:
+
+```sh
+auto-auth codex --profile you
+```
+
+Before switching, `auto-auth` backs up the current Codex auth file, then installs the selected profile into:
+
+```text
+~/.codex/auth.json
+```
+
+#### Auto-Select a Profile
+
+```sh
+auto-auth codex --auto
+```
+
+`--auto` checks saved profiles and launches Codex with the first account that has available quota. Smaller subscriptions are checked first.
+
+#### Pass Codex Arguments
+
+Put Codex arguments after `--`:
+
+```sh
+auto-auth codex --profile you -- -m gpt-5.5  # Run Codex with a specific profile and model
+auto-auth codex --auto -- -m gpt-5.5  # Auto-select a profile, then run Codex with a model
+auto-auth codex --auto -- --yolo app  # Auto-select a profile, then run the Codex app in yolo mode
+```
+
+The last example runs the Codex app in yolo mode after selecting an available profile.
+
+#### Codex Environment Variables
+
+| Variable | Description | Default |
+|----------|-------------|---------|
+| `CODEX_HOME` | Active Codex config directory | `~/.codex` |
+| `AUTO_AUTH_HOME` | Root directory for saved profiles and backups | `~/.auto-auth` |
+
+### Claude Code
+
+Claude Code support is planned for a future tool category. Until that adapter exists, `auto-auth` only accepts:
+
+```sh
+auto-auth codex ...
+```
+
+## Stored Files
+
+Codex profiles:
+
+```text
+~/.auto-auth/codex/profiles/
+```
+
+Codex auth backups:
+
+```text
+~/.auto-auth/codex/backups/
+```
+
+If `AUTO_AUTH_HOME` is set, those paths move under that directory.
+
+## Development
+
+```sh
+uv sync --all-groups
+uv run pre-commit install
+uv run pre-commit run --all-files
+uv run pytest -q
+uv run ruff check .
+uv run ty check
+```

auto_auth_cli-0.0.1/pyproject.toml

@@ -0,0 +1,79 @@
+[project]
+name = "auto-auth-cli"
+version = "0.0.1"
+description = "Profile-aware auth wrapper for coder agent CLIs"
+readme = { file = "README.md", content-type = "text/markdown" }
+authors = [
+    { name = "midodimori", email = "midodimori@proton.me" }
+]
+license = { text = "MIT" }
+requires-python = ">=3.13"
+keywords = [
+    "ai",
+    "auth",
+    "cli",
+    "codex",
+    "profile",
+]
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "Environment :: Console",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: MIT License",
+    "Operating System :: MacOS",
+    "Operating System :: POSIX :: Linux",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: 3 :: Only",
+    "Topic :: Software Development",
+    "Topic :: System :: Systems Administration",
+]
+dependencies = []
+
+[project.urls]
+Homepage = "https://github.com/midodimori/auto-auth-cli"
+Repository = "https://github.com/midodimori/auto-auth-cli"
+Issues = "https://github.com/midodimori/auto-auth-cli/issues"
+Changelog = "https://github.com/midodimori/auto-auth-cli/blob/main/CHANGELOG.md"
+
+[project.scripts]
+auto-auth = "auto_auth_cli.cli:main"
+
+[build-system]
+requires = ["uv_build>=0.9.14,<0.10.0"]
+build-backend = "uv_build"
+
+[dependency-groups]
+dev = [
+    "pre-commit>=4.6.0",
+    "pytest>=9.0.3",
+    "python-semantic-release~=10.5.3",
+    "ruff>=0.15.16",
+    "ty>=0.0.44",
+]
+
+[tool.semantic_release]
+version_toml = ["pyproject.toml:project.version"]
+version_variables = ["src/auto_auth_cli/__init__.py:__version__"]
+commit_parser = "conventional"
+major_on_zero = false
+commit_author = "github-actions[bot] <github-actions[bot]@users.noreply.github.com>"
+build_command = "uv lock && git add uv.lock"
+
+[tool.semantic_release.commit_parser_options]
+allowed_tags = ["feat", "fix", "perf", "refactor", "docs", "test", "build", "ci", "chore"]
+minor_tags = ["feat"]
+patch_tags = ["fix", "perf", "refactor"]
+
+[tool.semantic_release.changelog]
+exclude_commit_patterns = []
+mode = "update"
+
+[tool.semantic_release.changelog.default_templates]
+changelog_file = "CHANGELOG.md"
+
+[tool.semantic_release.changelog.environment]
+keep_trailing_newline = true
+
+[tool.semantic_release.remote]
+type = "github"

auto_auth_cli-0.0.1/src/auto_auth_cli/__init__.py

@@ -0,0 +1 @@
+__version__ = "0.0.1"

auto_auth_cli-0.0.1/src/auto_auth_cli/cli.py

@@ -0,0 +1,175 @@
+from __future__ import annotations
+
+import argparse
+import json
+import os
+from pathlib import Path
+import shutil
+import subprocess
+import sys
+import tempfile
+
+from auto_auth_cli.metadata import AuthMetadata, sanitize_profile_key
+from auto_auth_cli.paths import ToolPaths
+from auto_auth_cli.store import ProfileStore
+from auto_auth_cli.tools import get_tool, tool_names
+from auto_auth_cli.tools.base import ToolAdapter
+
+
+def main() -> None:
+    raise SystemExit(run(sys.argv[1:]))
+
+
+def run(argv: list[str]) -> int:
+    parser = build_parser()
+    args = parser.parse_args(argv)
+    adapter = get_tool(args.tool)
+    paths = ToolPaths.from_env(adapter)
+    store = ProfileStore(paths)
+
+    try:
+        if args.status:
+            return _status(adapter, store, paths)
+        if args.setup:
+            return _setup(adapter, store, args.label)
+        if args.auto:
+            return _auto(adapter, store, args.tool_args)
+        if args.profile:
+            profile = store.install_profile(args.profile)
+            print(
+                f"Using {adapter.name} auth profile: {profile.metadata.label}",
+                file=sys.stderr,
+            )
+            return _exec_tool(adapter, args.tool_args)
+    except (OSError, ValueError, subprocess.CalledProcessError, json.JSONDecodeError) as error:
+        print(f"auto-auth: {error}", file=sys.stderr)
+        return 1
+
+    parser.error("provide --setup, --status, --auto, or --profile")
+    return 2
+
+
+def build_parser() -> argparse.ArgumentParser:
+    parser = argparse.ArgumentParser(prog="auto-auth")
+    subparsers = parser.add_subparsers(dest="tool", required=True)
+
+    for tool_name in tool_names():
+        tool_parser = subparsers.add_parser(
+            tool_name, help=f"manage and launch {tool_name} auth profiles"
+        )
+        group = tool_parser.add_mutually_exclusive_group(required=True)
+        group.add_argument("--setup", action="store_true", help=f"create a profile via {tool_name} login")
+        group.add_argument("--status", action="store_true", help=f"list {tool_name} auth profiles")
+        group.add_argument("--auto", action="store_true", help="use the first profile with available quota")
+        group.add_argument("--profile", help="profile email, key, account id, or unique prefix")
+        tool_parser.add_argument(
+            "--label",
+            help="fallback label for setup when the auth token has no email or account id",
+        )
+        tool_parser.add_argument("tool_args", nargs=argparse.REMAINDER)
+    return parser
+
+
+def _status(adapter: ToolAdapter, store: ProfileStore, paths: ToolPaths) -> int:
+    active_metadata = None
+    if paths.active_auth_path.exists():
+        active_json = _read_json(paths.active_auth_path)
+        active_metadata = adapter.extract_metadata(active_json)
+
+    active_account = active_metadata.account_id if active_metadata else None
+    print(f"Active: {active_metadata.label if active_metadata else 'none'}")
+    print()
+    print("Profiles:")
+
+    profiles = store.list_profiles()
+    if not profiles:
+        print("  none")
+        return 0
+
+    for profile in profiles:
+        marker = (
+            " active"
+            if active_account and profile.metadata.account_id == active_account
+            else ""
+        )
+        plan = profile.metadata.plan_type or "unknown"
+        print(f"  {profile.metadata.label}\t{plan}{marker}")
+    return 0
+
+
+def _setup(adapter: ToolAdapter, store: ProfileStore, label: str | None) -> int:
+    executable = shutil.which(adapter.executable)
+    if executable is None:
+        raise OSError(f"{adapter.executable} executable not found in PATH")
+
+    with tempfile.TemporaryDirectory(prefix=f"auto-auth-{adapter.name}-") as temp_dir:
+        temp_home = Path(temp_dir)
+        subprocess.run(
+            adapter.login_command(executable),
+            check=True,
+            env=adapter.setup_env(temp_home),
+        )
+        auth_json = _read_json(adapter.active_auth_path(temp_home))
+        metadata = _metadata_with_label_fallback(adapter, auth_json, label)
+        if metadata.label == "unknown":
+            raise ValueError("could not extract email or account id; rerun with --label")
+        store.save_profile(metadata, auth_json)
+        print(f"Saved {adapter.name} auth profile: {metadata.label}")
+    return 0
+
+
+def _auto(adapter: ToolAdapter, store: ProfileStore, tool_args: list[str]) -> int:
+    executable = shutil.which(adapter.executable)
+    if executable is None:
+        raise OSError(f"{adapter.executable} executable not found in PATH")
+
+    profiles = adapter.sort_profiles_for_auto(store.list_profiles())
+    if not profiles:
+        raise ValueError(f"no {adapter.name} auth profiles saved")
+
+    selector = getattr(adapter, "select_usable_profile", None)
+    if selector is None:
+        raise ValueError(f"{adapter.name} does not support automatic profile selection")
+
+    profile = selector(profiles, executable)
+    if profile is None:
+        raise ValueError(f"no usable {adapter.name} auth profiles found")
+
+    store.install_profile(profile.metadata.key)
+    print(
+        f"Using {adapter.name} auth profile: {profile.metadata.label}",
+        file=sys.stderr,
+    )
+    return _exec_tool(adapter, tool_args)
+
+
+def _metadata_with_label_fallback(
+    adapter: ToolAdapter, auth_json: dict, label: str | None
+) -> AuthMetadata:
+    metadata = adapter.extract_metadata(auth_json)
+    if metadata.label != "unknown" or not label:
+        return metadata
+    return AuthMetadata(
+        key=sanitize_profile_key(label),
+        label=label,
+        email=None,
+        account_id=metadata.account_id,
+        plan_type=metadata.plan_type,
+    )
+
+
+def _exec_tool(adapter: ToolAdapter, tool_args: list[str]) -> int:
+    args = tool_args[1:] if tool_args and tool_args[0] == "--" else tool_args
+    argv = [adapter.executable, *args]
+    try:
+        os.execvp(adapter.executable, argv)
+    except SystemExit as exc:
+        return int(exc.code or 0)
+    return 0
+
+
+def _read_json(path: Path) -> dict:
+    data = json.loads(path.read_text())
+    if not isinstance(data, dict):
+        raise ValueError(f"{path} must contain a JSON object")
+    return data

auto_auth_cli-0.0.1/src/auto_auth_cli/jwt.py

@@ -0,0 +1,19 @@
+import base64
+import json
+from typing import Any
+
+
+def decode_jwt_payload(token: str) -> dict[str, Any]:
+    parts = token.split(".")
+    if len(parts) < 2:
+        return {}
+
+    payload = parts[1]
+    padding = "=" * (-len(payload) % 4)
+    try:
+        decoded = base64.urlsafe_b64decode((payload + padding).encode("ascii"))
+        data = json.loads(decoded.decode("utf-8"))
+    except (ValueError, UnicodeDecodeError):
+        return {}
+
+    return data if isinstance(data, dict) else {}

auto_auth_cli-0.0.1/src/auto_auth_cli/metadata.py

@@ -0,0 +1,18 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+import re
+
+
+@dataclass(frozen=True)
+class AuthMetadata:
+    key: str
+    label: str
+    email: str | None
+    account_id: str | None
+    plan_type: str | None
+
+
+def sanitize_profile_key(value: str) -> str:
+    key = re.sub(r"[^a-zA-Z0-9]+", "_", value.strip().lower()).strip("_")
+    return key or "profile"

auto_auth_cli-0.0.1/src/auto_auth_cli/paths.py

@@ -0,0 +1,47 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+import os
+from pathlib import Path
+from typing import Protocol
+
+
+class ToolPathAdapter(Protocol):
+    name: str
+
+    def default_auth_home(self) -> Path: ...
+
+    def active_auth_path(self, auth_home: Path) -> Path: ...
+
+
+@dataclass(frozen=True)
+class ToolPaths:
+    tool_name: str
+    auto_auth_home: Path
+    auth_home: Path
+    active_auth_path: Path
+
+    @classmethod
+    def from_env(cls, adapter: ToolPathAdapter) -> ToolPaths:
+        home = Path.home()
+        auto_auth_root = Path(os.environ.get("AUTO_AUTH_HOME", home / ".auto-auth"))
+        auth_home = Path(
+            os.environ.get(f"{adapter.name.upper()}_HOME", adapter.default_auth_home())
+        )
+        return cls(
+            tool_name=adapter.name,
+            auto_auth_home=auto_auth_root / adapter.name,
+            auth_home=auth_home,
+            active_auth_path=adapter.active_auth_path(auth_home),
+        )
+
+    @property
+    def profiles_dir(self) -> Path:
+        return self.auto_auth_home / "profiles"
+
+    @property
+    def backups_dir(self) -> Path:
+        return self.auto_auth_home / "backups"
+
+
+AutoAuthPaths = ToolPaths

auto_auth_cli-0.0.1/src/auto_auth_cli/store.py

@@ -0,0 +1,102 @@
+from __future__ import annotations
+
+from dataclasses import asdict, dataclass
+from datetime import datetime, timezone
+import json
+import os
+from pathlib import Path
+import shutil
+
+from auto_auth_cli.metadata import AuthMetadata
+from auto_auth_cli.paths import ToolPaths
+
+
+@dataclass(frozen=True)
+class Profile:
+    metadata: AuthMetadata
+    auth_path: Path
+
+
+class ProfileStore:
+    def __init__(self, paths: ToolPaths):
+        self.paths = paths
+
+    def save_profile(self, metadata: AuthMetadata, auth_json: dict) -> Profile:
+        profile_dir = self.paths.profiles_dir / metadata.key
+        profile_dir.mkdir(parents=True, exist_ok=True)
+        auth_path = profile_dir / "auth.json"
+        metadata_path = profile_dir / "metadata.json"
+        _write_json_atomic(auth_path, auth_json, mode=0o600)
+        _write_json_atomic(metadata_path, asdict(metadata), mode=0o600)
+        return Profile(metadata=metadata, auth_path=auth_path)
+
+    def list_profiles(self) -> list[Profile]:
+        if not self.paths.profiles_dir.exists():
+            return []
+
+        profiles: list[Profile] = []
+        for metadata_path in sorted(self.paths.profiles_dir.glob("*/metadata.json")):
+            try:
+                raw = json.loads(metadata_path.read_text())
+                metadata = AuthMetadata(**raw)
+            except (OSError, TypeError, ValueError):
+                continue
+            profiles.append(
+                Profile(metadata=metadata, auth_path=metadata_path.parent / "auth.json")
+            )
+        return profiles
+
+    def resolve_profile(self, selector: str) -> Profile:
+        selector_lower = selector.lower()
+        prefix_matches: list[Profile] = []
+
+        for profile in self.list_profiles():
+            candidates = [
+                profile.metadata.key,
+                profile.metadata.label,
+                profile.metadata.email or "",
+                profile.metadata.account_id or "",
+            ]
+            lowered = [candidate.lower() for candidate in candidates if candidate]
+            if selector_lower in lowered:
+                return profile
+            if any(candidate.startswith(selector_lower) for candidate in lowered):
+                prefix_matches.append(profile)
+
+        if len(prefix_matches) == 1:
+            return prefix_matches[0]
+        if len(prefix_matches) > 1:
+            labels = ", ".join(profile.metadata.label for profile in prefix_matches)
+            raise ValueError(f"profile selector {selector!r} is ambiguous: {labels}")
+        raise ValueError(f"profile {selector!r} not found")
+
+    def install_profile(self, selector: str) -> Profile:
+        profile = self.resolve_profile(selector)
+        self.paths.auth_home.mkdir(parents=True, exist_ok=True)
+        self.paths.backups_dir.mkdir(parents=True, exist_ok=True)
+
+        active_auth = self.paths.active_auth_path
+        if active_auth.exists():
+            timestamp = datetime.now(timezone.utc).strftime("%Y%m%dT%H%M%SZ")
+            backup_path = self.paths.backups_dir / f"auth.{timestamp}.json"
+            shutil.copy2(active_auth, backup_path)
+            _chmod_private(backup_path)
+
+        tmp_path = active_auth.with_name("auth.json.tmp")
+        shutil.copy2(profile.auth_path, tmp_path)
+        _chmod_private(tmp_path)
+        os.replace(tmp_path, active_auth)
+        _chmod_private(active_auth)
+        return profile
+
+
+def _write_json_atomic(path: Path, data: dict, mode: int) -> None:
+    tmp_path = path.with_name(path.name + ".tmp")
+    tmp_path.write_text(json.dumps(data, indent=2, sort_keys=True) + "\n")
+    os.chmod(tmp_path, mode)
+    os.replace(tmp_path, path)
+
+
+def _chmod_private(path: Path) -> None:
+    if os.name == "posix":
+        os.chmod(path, 0o600)

auto_auth_cli-0.0.1/src/auto_auth_cli/tools/__init__.py

@@ -0,0 +1,20 @@
+from __future__ import annotations
+
+from auto_auth_cli.tools.base import ToolAdapter
+from auto_auth_cli.tools.codex import CodexAdapter
+
+_TOOLS: dict[str, ToolAdapter] = {
+    "codex": CodexAdapter(),
+}
+
+
+def get_tool(name: str) -> ToolAdapter:
+    try:
+        return _TOOLS[name]
+    except KeyError:
+        supported = ", ".join(sorted(_TOOLS))
+        raise ValueError(f"unsupported tool {name!r}; supported tools: {supported}") from None
+
+
+def tool_names() -> list[str]:
+    return sorted(_TOOLS)

auto_auth_cli-0.0.1/src/auto_auth_cli/tools/base.py

@@ -0,0 +1,24 @@
+from __future__ import annotations
+
+from pathlib import Path
+from typing import Any, Protocol
+
+from auto_auth_cli.metadata import AuthMetadata
+from auto_auth_cli.store import Profile
+
+
+class ToolAdapter(Protocol):
+    name: str
+    executable: str
+
+    def default_auth_home(self) -> Path: ...
+
+    def active_auth_path(self, auth_home: Path) -> Path: ...
+
+    def setup_env(self, temp_home: Path) -> dict[str, str]: ...
+
+    def login_command(self, executable_path: str) -> list[str]: ...
+
+    def extract_metadata(self, auth_json: dict[str, Any]) -> AuthMetadata: ...
+
+    def sort_profiles_for_auto(self, profiles: list[Profile]) -> list[Profile]: ...

auto_auth_cli-0.0.1/src/auto_auth_cli/tools/codex/__init__.py

@@ -0,0 +1,3 @@
+from auto_auth_cli.tools.codex.adapter import CodexAdapter
+
+__all__ = ["CodexAdapter"]

auto_auth_cli-0.0.1/src/auto_auth_cli/tools/codex/adapter.py

@@ -0,0 +1,56 @@
+from __future__ import annotations
+
+import os
+from pathlib import Path
+from typing import Any
+
+from auto_auth_cli.metadata import AuthMetadata
+from auto_auth_cli.store import Profile
+from auto_auth_cli.tools.codex.auth import extract_metadata
+from auto_auth_cli.tools.codex.plans import plan_priority
+from auto_auth_cli.tools.codex.rate_limits import profile_has_available_quota
+
+
+class CodexAdapter:
+    name = "codex"
+    executable = "codex"
+
+    def default_auth_home(self) -> Path:
+        return Path.home() / ".codex"
+
+    def active_auth_path(self, auth_home: Path) -> Path:
+        return auth_home / "auth.json"
+
+    def setup_env(self, temp_home: Path) -> dict[str, str]:
+        env = os.environ.copy()
+        env["CODEX_HOME"] = str(temp_home)
+        return env
+
+    def login_command(self, executable_path: str) -> list[str]:
+        return [executable_path, "login"]
+
+    def extract_metadata(self, auth_json: dict[str, Any]) -> AuthMetadata:
+        return extract_metadata(auth_json)
+
+    def sort_profiles_for_auto(self, profiles: list[Profile]) -> list[Profile]:
+        return sorted(
+            profiles,
+            key=lambda profile: (
+                plan_priority(profile.metadata.plan_type),
+                profile.metadata.label.lower(),
+            ),
+        )
+
+    def select_usable_profile(
+        self, profiles: list[Profile], executable_path: str
+    ) -> Profile | None:
+        for profile in profiles:
+            try:
+                has_available_quota = profile_has_available_quota(
+                    profile, executable_path
+                )
+            except (OSError, RuntimeError):
+                has_available_quota = False
+            if has_available_quota:
+                return profile
+        return None

auto_auth_cli-0.0.1/src/auto_auth_cli/tools/codex/auth.py

@@ -0,0 +1,51 @@
+from __future__ import annotations
+
+from typing import Any
+
+from auto_auth_cli.jwt import decode_jwt_payload
+from auto_auth_cli.metadata import AuthMetadata, sanitize_profile_key
+
+AUTH_CLAIMS_KEY = "https://api.openai.com/auth"
+
+
+def extract_metadata(auth_json: dict[str, Any]) -> AuthMetadata:
+    tokens = auth_json.get("tokens")
+    if not isinstance(tokens, dict):
+        tokens = {}
+
+    payloads: list[dict[str, Any]] = []
+    for token_name in ("id_token", "access_token"):
+        token = tokens.get(token_name)
+        if isinstance(token, str):
+            payloads.append(decode_jwt_payload(token))
+
+    email = _first_string(payloads, "email")
+    account_id = _first_chatgpt_claim(payloads, "chatgpt_account_id")
+    plan_type = _first_chatgpt_claim(payloads, "chatgpt_plan_type")
+    label = email or account_id or "unknown"
+
+    return AuthMetadata(
+        key=sanitize_profile_key(label),
+        label=label,
+        email=email,
+        account_id=account_id,
+        plan_type=plan_type,
+    )
+
+
+def _first_string(payloads: list[dict[str, Any]], key: str) -> str | None:
+    for payload in payloads:
+        value = payload.get(key)
+        if isinstance(value, str) and value.strip():
+            return value.strip()
+    return None
+
+
+def _first_chatgpt_claim(payloads: list[dict[str, Any]], key: str) -> str | None:
+    for payload in payloads:
+        claims = payload.get(AUTH_CLAIMS_KEY)
+        if isinstance(claims, dict):
+            value = claims.get(key)
+            if isinstance(value, str) and value.strip():
+                return value.strip()
+    return None

auto_auth_cli-0.0.1/src/auto_auth_cli/tools/codex/plans.py

@@ -0,0 +1,23 @@
+AUTO_PLAN_PRIORITY = [
+    "free",
+    "go",
+    "plus",
+    "prolite",
+    "pro",
+    "team",
+    "self_serve_business_usage_based",
+    "business",
+    "enterprise_cbp_usage_based",
+    "enterprise",
+    "edu",
+]
+
+
+def plan_priority(plan_type: str | None) -> int:
+    if plan_type is None:
+        return len(AUTO_PLAN_PRIORITY)
+    normalized = plan_type.strip().lower()
+    try:
+        return AUTO_PLAN_PRIORITY.index(normalized)
+    except ValueError:
+        return len(AUTO_PLAN_PRIORITY)

auto_auth_cli-0.0.1/src/auto_auth_cli/tools/codex/rate_limits.py

@@ -0,0 +1,127 @@
+from __future__ import annotations
+
+import json
+import os
+from pathlib import Path
+import queue
+import shutil
+import subprocess
+import tempfile
+import threading
+from typing import Any
+
+from auto_auth_cli.store import Profile
+
+
+def profile_has_available_quota(profile: Profile, executable_path: str) -> bool:
+    with tempfile.TemporaryDirectory(prefix="auto-auth-codex-probe-") as temp_dir:
+        temp_home = Path(temp_dir)
+        shutil.copy2(profile.auth_path, temp_home / "auth.json")
+        response = read_account_rate_limits(executable_path, temp_home)
+    return is_usable_rate_limits(response)
+
+
+def is_usable_rate_limits(response: dict[str, Any]) -> bool:
+    rate_limits = response.get("rateLimits")
+    if not isinstance(rate_limits, dict):
+        return False
+    if rate_limits.get("rateLimitReachedType") is not None:
+        return False
+    return _window_allows(rate_limits.get("primary")) and _window_allows(
+        rate_limits.get("secondary")
+    )
+
+
+def read_account_rate_limits(executable_path: str, codex_home: Path) -> dict[str, Any]:
+    env = os.environ.copy()
+    env["CODEX_HOME"] = str(codex_home)
+    process = subprocess.Popen(
+        [executable_path, "app-server", "--listen", "stdio://"],
+        stdin=subprocess.PIPE,
+        stdout=subprocess.PIPE,
+        stderr=subprocess.DEVNULL,
+        text=True,
+        env=env,
+    )
+    if process.stdin is None or process.stdout is None:
+        raise RuntimeError("failed to open codex app-server pipes")
+
+    lines: queue.Queue[str] = queue.Queue()
+    reader = threading.Thread(target=_read_stdout, args=(process.stdout, lines), daemon=True)
+    reader.start()
+
+    try:
+        _send(process, {"method": "initialize", "id": 1, "params": _initialize_params()})
+        _read_response(lines, request_id=1, timeout_seconds=10)
+        _send(process, {"method": "initialized", "params": {}})
+        _send(process, {"method": "account/rateLimits/read", "id": 2})
+        message = _read_response(lines, request_id=2, timeout_seconds=10)
+    finally:
+        process.terminate()
+        try:
+            process.wait(timeout=2)
+        except subprocess.TimeoutExpired:
+            process.kill()
+            process.wait(timeout=2)
+
+    if "error" in message:
+        error = message["error"]
+        if isinstance(error, dict):
+            raise RuntimeError(error.get("message") or json.dumps(error))
+        raise RuntimeError(str(error))
+
+    result = message.get("result")
+    if not isinstance(result, dict):
+        raise RuntimeError("codex app-server returned an invalid rate limit response")
+    return result
+
+
+def _window_allows(value: Any) -> bool:
+    if value is None:
+        return True
+    if not isinstance(value, dict):
+        return False
+    used_percent = value.get("usedPercent")
+    if not isinstance(used_percent, int | float):
+        return False
+    return used_percent < 100
+
+
+def _initialize_params() -> dict[str, Any]:
+    return {
+        "clientInfo": {
+            "name": "auto_auth_cli",
+            "title": "auto-auth-cli",
+            "version": "0.1.0",
+        }
+    }
+
+
+def _send(process: subprocess.Popen[str], message: dict[str, Any]) -> None:
+    if process.stdin is None:
+        raise RuntimeError("codex app-server stdin is closed")
+    process.stdin.write(json.dumps(message, separators=(",", ":")) + "\n")
+    process.stdin.flush()
+
+
+def _read_stdout(stdout, lines: queue.Queue[str]) -> None:
+    for line in stdout:
+        lines.put(line)
+
+
+def _read_response(
+    lines: queue.Queue[str], request_id: int, timeout_seconds: int
+) -> dict[str, Any]:
+    while True:
+        try:
+            line = lines.get(timeout=timeout_seconds)
+        except queue.Empty as exc:
+            raise RuntimeError("timed out waiting for codex rate limits") from exc
+        try:
+            message = json.loads(line)
+        except json.JSONDecodeError:
+            continue
+        if not isinstance(message, dict):
+            continue
+        if message.get("id") == request_id:
+            return message