Summary
Please consider adding an official privacy option for account display labels across all oc-codex-multi-auth UI surfaces.
Currently, some parts of the plugin can mask emails (maskEmail and maskEmailInQuotaDetails), but other account-switching and account-listing paths still render full account emails. This can expose private ChatGPT/Codex account emails in screenshots, screen sharing, terminal recordings, or shared OpenCode TUI sessions.
I locally patched the installed package so account UIs prefer user-defined account labels such as plus-1, plus-2, pro-1, and only fall back to a masked email when no label exists. It would be helpful to make this behavior official and configurable.
Environment
- Package:
oc-codex-multi-auth
- Version observed:
6.2.0
- OpenCode version:
1.15.13
- Platform: macOS arm64
- Install/cache locations observed:
~/.cache/opencode/packages/oc-codex-multi-auth@latest/node_modules/oc-codex-multi-auth~/.npm/_npx/.../node_modules/oc-codex-multi-auth
Current behavior
With multiple Codex accounts configured and labels set via codex-label, for example:
codex-label index=1 label="plus-1"
codex-label index=2 label="plus-2"
codex-label index=3 label="pro-1"
the account switcher and related account display paths may still show full account emails instead of only showing the label.
The existing config helps with the quota/status surfaces:
{
"perProjectAccounts": false,
"maskEmail": true,
"maskEmailInQuotaDetails": true
}However, full emails can still be shown in additional UI/account formatting paths.
Expected behavior
When account labels are present, all visible account-selection/account-status/account-listing surfaces should prefer the label and avoid showing the raw email.
Suggested behavior:
- If
account.accountLabel exists, display only the label, e.g. plus-1, plus-2, pro-1.
- If no label exists and an email exists, display a masked email, e.g.
ab***@example.com or the existing ***** style depending on config.
- Avoid rendering full email addresses unless explicitly configured by the user.
Local patch I applied
I patched the following compiled display paths locally:
dist/lib/ui/auth-menu.js
accountTitle(account) now prefers account.accountLabel; if missing, it uses maskEmailForDisplay(account.email).
dist/index.js
formatCommandAccountLabel(account, index) now prefers account.accountLabel; if missing, it uses masked email.
dist/tui.js
formatTuiAccountLabel(account, index) now prefers account.accountLabel; if missing, it uses masked email.
dist/lib/cli.js
formatAccountLabel(account, index) now prefers account.accountLabel; if missing, it uses masked email.
dist/lib/accounts.js
- exported
formatAccountLabel(account, index) now prefers account.accountLabel; if missing, it uses masked email.
I also had to patch both OpenCode's plugin cache and the npx cache, because both copies can exist locally:
~/.cache/opencode/packages/...~/.npm/_npx/...
Example patch logic
This is the display helper I used locally:
function maskEmailForDisplay(email) {
const trimmed = email?.trim();
if (!trimmed) return undefined;
const atIndex = trimmed.indexOf("@");
if (atIndex <= 0) return "*****";
return `${trimmed.slice(0, Math.min(2, atIndex))}***${trimmed.slice(atIndex)}`;
}And for account titles:
const label = account.accountLabel?.trim();
if (label) return `${account.index + 1}. ${label}`;
const email = maskEmailForDisplay(account.email);Suggested official implementation
Possible config additions or behavior changes:
{
"maskEmail": true,
"maskEmailInQuotaDetails": true,
"preferAccountLabel": true,
"maskEmailInAccountMenus": true,
"maskEmailInCommandOutput": true
}Or simpler: when maskEmail is enabled, apply it consistently to every account display surface, not only quota/status. When accountLabel exists, prefer it over email everywhere.
Why this matters
OpenCode TUI is often used during pair programming, screen sharing, terminal recording, and screenshots. Full email addresses are personally identifying and do not need to be displayed when stable labels like plus-1, plus-2, or pro-1 are available.
This would make the privacy behavior consistent and avoid requiring local patches after plugin reinstall/update.
Validation from local patch
After patching locally:
codex-list displays labels like Account 1 (plus-1) instead of full email in labels.- Account switcher display paths prefer
plus-1 / plus-2 / pro-1.
- TUI quota/status still works with
maskEmail and maskEmailInQuotaDetails enabled.
- Syntax checks passed for the patched JavaScript files.
Summary
Please consider adding an official privacy option for account display labels across all
oc-codex-multi-authUI surfaces.Currently, some parts of the plugin can mask emails (
maskEmailandmaskEmailInQuotaDetails), but other account-switching and account-listing paths still render full account emails. This can expose private ChatGPT/Codex account emails in screenshots, screen sharing, terminal recordings, or shared OpenCode TUI sessions.I locally patched the installed package so account UIs prefer user-defined account labels such as
plus-1,plus-2,pro-1, and only fall back to a masked email when no label exists. It would be helpful to make this behavior official and configurable.Environment
oc-codex-multi-auth6.2.01.15.13~/.cache/opencode/packages/oc-codex-multi-auth@latest/node_modules/oc-codex-multi-auth~/.npm/_npx/.../node_modules/oc-codex-multi-authCurrent behavior
With multiple Codex accounts configured and labels set via
codex-label, for example:the account switcher and related account display paths may still show full account emails instead of only showing the label.
The existing config helps with the quota/status surfaces:
{ "perProjectAccounts": false, "maskEmail": true, "maskEmailInQuotaDetails": true }However, full emails can still be shown in additional UI/account formatting paths.
Expected behavior
When account labels are present, all visible account-selection/account-status/account-listing surfaces should prefer the label and avoid showing the raw email.
Suggested behavior:
account.accountLabelexists, display only the label, e.g.plus-1,plus-2,pro-1.ab***@example.comor the existing*****style depending on config.Local patch I applied
I patched the following compiled display paths locally:
dist/lib/ui/auth-menu.jsaccountTitle(account)now prefersaccount.accountLabel; if missing, it usesmaskEmailForDisplay(account.email).dist/index.jsformatCommandAccountLabel(account, index)now prefersaccount.accountLabel; if missing, it uses masked email.dist/tui.jsformatTuiAccountLabel(account, index)now prefersaccount.accountLabel; if missing, it uses masked email.dist/lib/cli.jsformatAccountLabel(account, index)now prefersaccount.accountLabel; if missing, it uses masked email.dist/lib/accounts.jsformatAccountLabel(account, index)now prefersaccount.accountLabel; if missing, it uses masked email.I also had to patch both OpenCode's plugin cache and the
npxcache, because both copies can exist locally:~/.cache/opencode/packages/...~/.npm/_npx/...Example patch logic
This is the display helper I used locally:
And for account titles:
Suggested official implementation
Possible config additions or behavior changes:
{ "maskEmail": true, "maskEmailInQuotaDetails": true, "preferAccountLabel": true, "maskEmailInAccountMenus": true, "maskEmailInCommandOutput": true }Or simpler: when
maskEmailis enabled, apply it consistently to every account display surface, not only quota/status. WhenaccountLabelexists, prefer it over email everywhere.Why this matters
OpenCode TUI is often used during pair programming, screen sharing, terminal recording, and screenshots. Full email addresses are personally identifying and do not need to be displayed when stable labels like
plus-1,plus-2, orpro-1are available.This would make the privacy behavior consistent and avoid requiring local patches after plugin reinstall/update.
Validation from local patch
After patching locally:
codex-listdisplays labels likeAccount 1 (plus-1)instead of full email in labels.plus-1/plus-2/pro-1.maskEmailandmaskEmailInQuotaDetailsenabled.