From 3842fa3f8368abd7ef505b6ed2760ac59653b6bb Mon Sep 17 00:00:00 2001
From: Scott Lovegrove <scott@ferretlabs.com>
Date: Sat, 23 May 2026 14:53:11 +0100
Subject: [PATCH 1/3] feat(auth): add account current/remove Commander
 attachers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Complete the account-management attacher family alongside list/use so
consumers stop hand-rolling these subcommands. `attachAccountCurrentCommand`
is selector-less: reads `store.active()`, derives the default marker from
`store.list()`, and routes out-of-store credential sources (env/legacy) through
an `onNotAuthenticated` hook. `attachAccountRemoveCommand` resolves `<ref>` via
`store.active(ref)` and clears by the resolved canonical `account.id` — never
the raw ref, which `clear()` would silently no-op on.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 README.md                |  56 ++++++---
 src/auth/account.test.ts | 259 ++++++++++++++++++++++++++++++++++++++-
 src/auth/account.ts      | 197 ++++++++++++++++++++++++++++-
 src/auth/index.ts        |  11 +-
 4 files changed, 501 insertions(+), 22 deletions(-)

diff --git a/README.md b/README.md
index 0aed89e..1642291 100644
--- a/README.md
+++ b/README.md
@@ -12,20 +12,20 @@ npm install @doist/cli-core
 
 ## What's in it
 
-| Module               | Key exports                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | Purpose                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| -------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| `auth` (subpath)     | `attachLoginCommand`, `attachLogoutCommand`, `attachStatusCommand`, `attachTokenViewCommand`, `attachAccountListCommand`, `attachAccountUseCommand`, `runOAuthFlow`, `refreshAccessToken`, `createPkceProvider`, `createDcrProvider`, `createSecureStore`, `createKeyringTokenStore`, `migrateLegacyAuth`, `persistBundle`, `bundleFromExchange`, PKCE helpers, `AuthProvider` / `TokenStore` / `TokenBundle` / `ActiveBundleSnapshot` / `RefreshInput` / `AccountRef` / `SecureStore` / `UserRecordStore` types, `AttachLogoutRevokeContext` / `AttachAccountListContext` | OAuth runtime plus the Commander attachers for `<cli> [auth] login` / `logout` / `status` / `token` and `<cli> account list` / `use`. `attachLogoutCommand` accepts an optional `revokeToken` hook for best-effort server-side token revocation. Ships the standard public-client PKCE flow (`createPkceProvider`), the RFC 7591 Dynamic Client Registration flow (`createDcrProvider`), a thin cross-platform OS-keyring wrapper (`createSecureStore`), and a multi-account keyring-backed `TokenStore` (`createKeyringTokenStore`) that stores secrets in the OS credential manager and degrades to plaintext in the consumer's config when the keyring is unavailable (WSL/headless Linux/containers). The store contract supports an optional `setBundle(account, bundle)` write method (required on `KeyringTokenStore`) so consumers that need refresh-token persistence can opt in via `TokenBundle`; `active()` stays narrow (access token + account only) so callers that don't need refresh state don't pay extra keyring IPC. `AuthProvider` and `TokenStore` remain the escape hatches for fully bespoke backends (device code, magic-link, …). `logout` / `status` / `token` always attach `--user <ref>` and thread the parsed ref to `store.active(ref)` (and `store.clear(ref)` on `logout`). `commander` (when using the attachers), `open` (browser launch), `@napi-rs/keyring` (when using `createSecureStore` or the keyring `TokenStore`), and `oauth4webapi` (when a consumer opts into silent refresh or uses `createDcrProvider`) are optional peer/optional deps. |
-| `commands` (subpath) | `registerChangelogCommand`, `registerUpdateCommand` (+ semver helpers)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | Commander wiring for cli-core's standard commands (e.g. `<cli> changelog`, `<cli> update`, `<cli> update switch`). **Requires** `commander` as an optional peer-dep.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| `config`             | `getConfigPath`, `readConfig`, `readConfigStrict`, `writeConfig`, `updateConfig`, `CoreConfig`, `UpdateChannel`                                                                                                                                                                                                                                                                                                                                                                                                                                                            | Read / write a per-CLI JSON config file with typed error codes; `CoreConfig` is the shape of fields cli-core itself owns (extend it for per-CLI fields).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| `empty`              | `printEmpty`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | Print an empty-state message gated on `--json` / `--ndjson` so machine consumers never see human strings on stdout.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| `errors`             | `CliError`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Typed CLI error class with `code` and exit-code mapping.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| `global-args`        | `parseGlobalArgs`, `stripUserFlag`, `createGlobalArgsStore`, `createAccessibleGate`, `createSpinnerGate`, `getProgressJsonlPath`, `isProgressJsonlEnabled`                                                                                                                                                                                                                                                                                                                                                                                                                 | Parse well-known global flags (`--json`, `--ndjson`, `--quiet`, `--verbose`, `--accessible`, `--no-spinner`, `--progress-jsonl`, `--user <ref>`) and derive predicates from them. `stripUserFlag` removes `--user` tokens from argv so the cleaned array can be forwarded to Commander when the flag has no root-program attachment.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| `json`               | `formatJson`, `formatNdjson`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | Stable JSON / newline-delimited JSON formatting for stdout.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
-| `markdown` (subpath) | `preloadMarkdown`, `renderMarkdown`, `TerminalRendererOptions`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Lazy-init terminal markdown renderer. **Requires** `marked` and `marked-terminal-renderer` as peer-deps — install only if your CLI uses this subpath.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
-| `options`            | `ViewOptions`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | Type contract for `{ json?, ndjson? }` per-command options that machine-output gates derive from.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
-| `spinner`            | `createSpinner`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | Loading spinner factory wrapping `yocto-spinner` with disable gates.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| `terminal`           | `isCI`, `isStderrTTY`, `isStdinTTY`, `isStdoutTTY`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | TTY / CI detection helpers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
-| `testing` (subpath)  | `describeEmptyMachineOutput`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | Vitest helpers reusable by consuming CLIs (e.g. parametrised empty-state suite covering `--json` / `--ndjson` / human modes).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| Module               | Key exports                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | Purpose                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
+| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `auth` (subpath)     | `attachLoginCommand`, `attachLogoutCommand`, `attachStatusCommand`, `attachTokenViewCommand`, `attachAccountListCommand`, `attachAccountUseCommand`, `attachAccountCurrentCommand`, `attachAccountRemoveCommand`, `runOAuthFlow`, `refreshAccessToken`, `createPkceProvider`, `createDcrProvider`, `createSecureStore`, `createKeyringTokenStore`, `migrateLegacyAuth`, `persistBundle`, `bundleFromExchange`, PKCE helpers, `AuthProvider` / `TokenStore` / `TokenBundle` / `ActiveBundleSnapshot` / `RefreshInput` / `AccountRef` / `SecureStore` / `UserRecordStore` types, `AttachLogoutRevokeContext` / `AttachAccountListContext` / `AttachAccountCurrentContext` / `AttachAccountRemoveContext` | OAuth runtime plus the Commander attachers for `<cli> [auth] login` / `logout` / `status` / `token` and `<cli> account list` / `use` / `current` / `remove`. `attachLogoutCommand` accepts an optional `revokeToken` hook for best-effort server-side token revocation. Ships the standard public-client PKCE flow (`createPkceProvider`), the RFC 7591 Dynamic Client Registration flow (`createDcrProvider`), a thin cross-platform OS-keyring wrapper (`createSecureStore`), and a multi-account keyring-backed `TokenStore` (`createKeyringTokenStore`) that stores secrets in the OS credential manager and degrades to plaintext in the consumer's config when the keyring is unavailable (WSL/headless Linux/containers). The store contract supports an optional `setBundle(account, bundle)` write method (required on `KeyringTokenStore`) so consumers that need refresh-token persistence can opt in via `TokenBundle`; `active()` stays narrow (access token + account only) so callers that don't need refresh state don't pay extra keyring IPC. `AuthProvider` and `TokenStore` remain the escape hatches for fully bespoke backends (device code, magic-link, …). `logout` / `status` / `token` always attach `--user <ref>` and thread the parsed ref to `store.active(ref)` (and `store.clear(ref)` on `logout`). `commander` (when using the attachers), `open` (browser launch), `@napi-rs/keyring` (when using `createSecureStore` or the keyring `TokenStore`), and `oauth4webapi` (when a consumer opts into silent refresh or uses `createDcrProvider`) are optional peer/optional deps. |
+| `commands` (subpath) | `registerChangelogCommand`, `registerUpdateCommand` (+ semver helpers)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Commander wiring for cli-core's standard commands (e.g. `<cli> changelog`, `<cli> update`, `<cli> update switch`). **Requires** `commander` as an optional peer-dep.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| `config`             | `getConfigPath`, `readConfig`, `readConfigStrict`, `writeConfig`, `updateConfig`, `CoreConfig`, `UpdateChannel`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | Read / write a per-CLI JSON config file with typed error codes; `CoreConfig` is the shape of fields cli-core itself owns (extend it for per-CLI fields).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+| `empty`              | `printEmpty`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | Print an empty-state message gated on `--json` / `--ndjson` so machine consumers never see human strings on stdout.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
+| `errors`             | `CliError`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Typed CLI error class with `code` and exit-code mapping.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+| `global-args`        | `parseGlobalArgs`, `stripUserFlag`, `createGlobalArgsStore`, `createAccessibleGate`, `createSpinnerGate`, `getProgressJsonlPath`, `isProgressJsonlEnabled`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Parse well-known global flags (`--json`, `--ndjson`, `--quiet`, `--verbose`, `--accessible`, `--no-spinner`, `--progress-jsonl`, `--user <ref>`) and derive predicates from them. `stripUserFlag` removes `--user` tokens from argv so the cleaned array can be forwarded to Commander when the flag has no root-program attachment.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| `json`               | `formatJson`, `formatNdjson`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | Stable JSON / newline-delimited JSON formatting for stdout.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
+| `markdown` (subpath) | `preloadMarkdown`, `renderMarkdown`, `TerminalRendererOptions`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Lazy-init terminal markdown renderer. **Requires** `marked` and `marked-terminal-renderer` as peer-deps — install only if your CLI uses this subpath.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
+| `options`            | `ViewOptions`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | Type contract for `{ json?, ndjson? }` per-command options that machine-output gates derive from.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
+| `spinner`            | `createSpinner`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | Loading spinner factory wrapping `yocto-spinner` with disable gates.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| `terminal`           | `isCI`, `isStderrTTY`, `isStdinTTY`, `isStdoutTTY`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | TTY / CI detection helpers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
+| `testing` (subpath)  | `describeEmptyMachineOutput`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | Vitest helpers reusable by consuming CLIs (e.g. parametrised empty-state suite covering `--json` / `--ndjson` / human modes).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
 
 ## Usage
 
@@ -250,12 +250,17 @@ Both attachers strip the standard `--json` / `--ndjson` / `--user` registrar fla
 
 `attachTokenViewCommand` writes the bare stored token to stdout (no envelope, pipe-safe) and appends a trailing newline only when stdout is a TTY. When `envVarName` is set and the env var is populated, it throws `CliError('TOKEN_FROM_ENV', …)` to avoid disclosing a token the CLI did not manage. Defaults to subcommand name `token`; pass `name: 'view'` to nest under an existing `token` group.
 
-#### Account selection (`account list` / `account use`)
+#### Account selection (`account list` / `use` / `current` / `remove`)
 
-For multi-account CLIs, `attachAccountListCommand` and `attachAccountUseCommand` wire `account list` and `account use <ref>` against the `TokenStore.list()` / `setDefault()` contract. Attach both to an `account` parent command — the same registrar shape as the auth siblings.
+For multi-account CLIs, `attachAccountListCommand`, `attachAccountUseCommand`, `attachAccountCurrentCommand`, and `attachAccountRemoveCommand` wire `account list`, `account use <ref>`, `account current`, and `account remove <ref>` against the `TokenStore.list()` / `setDefault()` / `active()` / `clear()` contract. Attach them to an `account` parent command — the same registrar shape as the auth siblings.
 
 ```ts
-import { attachAccountListCommand, attachAccountUseCommand } from '@doist/cli-core/auth'
+import {
+    attachAccountCurrentCommand,
+    attachAccountListCommand,
+    attachAccountRemoveCommand,
+    attachAccountUseCommand,
+} from '@doist/cli-core/auth'
 
 const account = program.command('account')
 
@@ -274,12 +279,29 @@ attachAccountUseCommand<Account>(account, {
     store,
     onDefaultSet: ({ ref }) => clearCachedClient(), // optional follow-up
 })
+
+attachAccountCurrentCommand<Account>(account, {
+    store,
+    // Optional. Defaults to `<label ?? id> (id:<id>)` (+ ` (default)`).
+    renderText: ({ account, isDefault }) => `${account.email}${isDefault ? ' (default)' : ''}`,
+    // Drive out-of-store credential sources (env var, legacy creds) here.
+    onNotAuthenticated: ({ view }) => renderEnvOrLegacy(view),
+})
+
+attachAccountRemoveCommand<Account>(account, {
+    store,
+    onRemoved: ({ account }) => warnIfKeyringFellBack(account), // optional follow-up
+})
 ```
 
 `attachAccountListCommand` reads `store.list()` and renders every stored account. `--json` emits a `{ accounts, default }` envelope where `default` is the default entry's `account.id` (or `null`); `--ndjson` streams one per-account object per line (the same shape as the `accounts[]` entries — no envelope, no `default`); human mode uses `renderText`. `renderJson` is invoked once per account and only in machine-output mode. Both renderers are optional — omit them for the built-in defaults.
 
 `attachAccountUseCommand` takes a positional `<ref>`, calls `store.setDefault(ref)` (a ref miss propagates `CliError('ACCOUNT_NOT_FOUND', …)`), then emits `✓ Default account set to <ref>` (human) or `{ "ok": true, "default": <id> }` (`--json`, silent under `--ndjson`). The `--json` `default` is the resolved account's canonical `id` (re-read from `store.list()` after the write) so it round-trips against what `account list --json` reports for the same account; the human line echoes the raw `<ref>` you typed. The optional `onDefaultSet({ ref, view, flags })` hook fires after the success line for CLI-specific follow-ups.
 
+`attachAccountCurrentCommand` is selector-less: it reads `store.active()` and derives the `(default)` marker from `store.list()` (keyed on `account.id`, identical to `account list`). `--json` / `--ndjson` emit `{ account, isDefault }` by default (override via `renderJson`, validated for serializability); human mode uses `renderText`. When `store.active()` resolves nothing it invokes `onNotAuthenticated({ view, flags })`, or throws `CliError('NOT_AUTHENTICATED', …)` when no hook is supplied — that hook is where consumers render out-of-store credential sources (an env-var token, legacy single-user creds).
+
+`attachAccountRemoveCommand` takes a positional `<ref>`, resolves it via `store.active(ref)` (a miss throws `CliError('ACCOUNT_NOT_FOUND', …)`), then clears by the resolved canonical `account.id` — never the raw ref, since `clear()` is keyed by id and would silently no-op on an email/label ref. `--json` emits `{ ok: true, removed: <id> }`; `--ndjson` is silent; human mode prints `✓ Removed <label ?? id>` plus a `Cleared default account.` line when the removed account was the default (override the whole human block via `renderText`). The optional `onRemoved` hook fires after the success line — use it for store-specific follow-ups not on the `TokenStore` contract (e.g. surfacing a keyring-fallback warning).
+
 #### Standard flag set
 
 `attachLoginCommand` registers four flags on the `login` subcommand:
diff --git a/src/auth/account.test.ts b/src/auth/account.test.ts
index d884207..ed3825d 100644
--- a/src/auth/account.test.ts
+++ b/src/auth/account.test.ts
@@ -4,9 +4,13 @@ import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 import { CliError } from '../errors.js'
 import { formatJson, formatNdjson } from '../json.js'
 import {
+    type AttachAccountCurrentCommandOptions,
     type AttachAccountListCommandOptions,
+    type AttachAccountRemoveCommandOptions,
     type AttachAccountUseCommandOptions,
+    attachAccountCurrentCommand,
     attachAccountListCommand,
+    attachAccountRemoveCommand,
     attachAccountUseCommand,
 } from './account.js'
 import type { TokenStore } from './types.js'
@@ -33,6 +37,8 @@ function buildStore(initial: Entry[] = bothAccounts): {
     store: TokenStore<Account>
     listSpy: ReturnType<typeof vi.fn>
     setDefaultSpy: ReturnType<typeof vi.fn>
+    activeSpy: ReturnType<typeof vi.fn>
+    clearSpy: ReturnType<typeof vi.fn>
 } {
     const entries = initial.map((entry) => ({ ...entry }))
     const listSpy = vi.fn(async () =>
@@ -43,14 +49,24 @@ function buildStore(initial: Entry[] = bothAccounts): {
         if (!target) throw new CliError('ACCOUNT_NOT_FOUND', `No stored account matches "${ref}".`)
         for (const entry of entries) entry.isDefault = entry === target
     })
+    // No ref → the default entry (selector-less `current`); a ref → match by
+    // id/email/label. Returns null on miss so the attachers can translate it.
+    const activeSpy = vi.fn(async (ref?: string) => {
+        const target =
+            ref === undefined
+                ? entries.find((entry) => entry.isDefault)
+                : entries.find((entry) => matches(entry, ref))
+        return target ? { token: `token-${target.account.id}`, account: target.account } : null
+    })
+    const clearSpy = vi.fn(async (_ref?: string) => {})
     const store: TokenStore<Account> = {
-        active: vi.fn(async () => null),
+        active: activeSpy,
         set: vi.fn(),
-        clear: vi.fn(),
+        clear: clearSpy,
         list: listSpy,
         setDefault: setDefaultSpy,
     }
-    return { store, listSpy, setDefaultSpy }
+    return { store, listSpy, setDefaultSpy, activeSpy, clearSpy }
 }
 
 function buildList(
@@ -83,6 +99,36 @@ function buildUse(
     return { program, command }
 }
 
+function buildCurrent(
+    overrides: Partial<AttachAccountCurrentCommandOptions<Account>> = {},
+    store?: TokenStore<Account>,
+): { program: Command; command: Command } {
+    const resolvedStore = store ?? buildStore().store
+    const program = new Command()
+    program.exitOverride()
+    const account = program.command('account')
+    const command = attachAccountCurrentCommand<Account>(account, {
+        store: resolvedStore,
+        ...overrides,
+    })
+    return { program, command }
+}
+
+function buildRemove(
+    overrides: Partial<AttachAccountRemoveCommandOptions<Account>> = {},
+    store?: TokenStore<Account>,
+): { program: Command; command: Command } {
+    const resolvedStore = store ?? buildStore().store
+    const program = new Command()
+    program.exitOverride()
+    const account = program.command('account')
+    const command = attachAccountRemoveCommand<Account>(account, {
+        store: resolvedStore,
+        ...overrides,
+    })
+    return { program, command }
+}
+
 describe('attachAccountListCommand', () => {
     let logSpy: ReturnType<typeof vi.spyOn>
 
@@ -419,3 +465,210 @@ describe('attachAccountUseCommand', () => {
         expect(command.name()).toBe('use')
     })
 })
+
+describe('attachAccountCurrentCommand', () => {
+    let logSpy: ReturnType<typeof vi.spyOn>
+
+    beforeEach(() => {
+        logSpy = vi.spyOn(console, 'log').mockImplementation(() => {})
+    })
+
+    afterEach(() => {
+        logSpy.mockRestore()
+    })
+
+    it('renders the default human line with a (default) marker for the active account', async () => {
+        const { program } = buildCurrent()
+
+        await program.parseAsync(['node', 'cli', 'account', 'current'])
+
+        expect(logSpy).toHaveBeenCalledWith('Alice (id:1) (default)')
+    })
+
+    it('omits the marker when the active account is not the default', async () => {
+        const store: TokenStore<Account> = {
+            active: vi.fn(async () => ({ token: 't', account: a1 })),
+            set: vi.fn(),
+            clear: vi.fn(),
+            list: vi.fn(async () => [
+                { account: a1, isDefault: false },
+                { account: a2, isDefault: true },
+            ]),
+            setDefault: vi.fn(),
+        }
+        const { program } = buildCurrent({}, store)
+
+        await program.parseAsync(['node', 'cli', 'account', 'current'])
+
+        expect(logSpy).toHaveBeenCalledWith('Alice (id:1)')
+    })
+
+    it('passes account + isDefault to a custom renderText', async () => {
+        const renderText = vi.fn(() => 'custom line')
+        const { program } = buildCurrent({ renderText })
+
+        await program.parseAsync(['node', 'cli', 'account', 'current'])
+
+        expect(renderText).toHaveBeenCalledWith({
+            account: a1,
+            isDefault: true,
+            view: { json: false, ndjson: false },
+            flags: {},
+        })
+        expect(logSpy).toHaveBeenCalledWith('custom line')
+    })
+
+    it('emits the default { account, isDefault } payload under --json', async () => {
+        const { program } = buildCurrent()
+
+        await program.parseAsync(['node', 'cli', 'account', 'current', '--json'])
+
+        expect(logSpy).toHaveBeenCalledWith(formatJson({ account: a1, isDefault: true }))
+    })
+
+    it('shapes the --json payload via renderJson', async () => {
+        const renderJson = vi.fn(({ account }: { account: Account }) => ({ email: account.email }))
+        const { program } = buildCurrent({ renderJson })
+
+        await program.parseAsync(['node', 'cli', 'account', 'current', '--json'])
+
+        expect(renderJson).toHaveBeenCalledWith({ account: a1, isDefault: true, flags: {} })
+        expect(logSpy).toHaveBeenCalledWith(formatJson({ email: 'alice@b' }))
+    })
+
+    it('emits a single payload object under --ndjson', async () => {
+        const { program } = buildCurrent()
+
+        await program.parseAsync(['node', 'cli', 'account', 'current', '--ndjson'])
+
+        expect(logSpy).toHaveBeenCalledWith(formatNdjson([{ account: a1, isDefault: true }]))
+    })
+
+    it('throws INVALID_TYPE in both machine modes when renderJson is non-serializable', async () => {
+        const renderJson = vi.fn(() => undefined)
+
+        for (const mode of ['--json', '--ndjson'] as const) {
+            const { program } = buildCurrent({ renderJson })
+            await expect(
+                program.parseAsync(['node', 'cli', 'account', 'current', mode]),
+            ).rejects.toMatchObject({ constructor: CliError, code: 'INVALID_TYPE' })
+        }
+    })
+
+    it('invokes onNotAuthenticated when nothing is active', async () => {
+        const onNotAuthenticated = vi.fn()
+        const { program } = buildCurrent({ onNotAuthenticated }, buildStore([]).store)
+
+        await program.parseAsync(['node', 'cli', 'account', 'current'])
+
+        expect(onNotAuthenticated).toHaveBeenCalledWith({
+            view: { json: false, ndjson: false },
+            flags: {},
+        })
+        expect(logSpy).not.toHaveBeenCalled()
+    })
+
+    it('throws NOT_AUTHENTICATED when nothing is active and no hook is supplied', async () => {
+        const { program } = buildCurrent({}, buildStore([]).store)
+
+        await expect(
+            program.parseAsync(['node', 'cli', 'account', 'current']),
+        ).rejects.toMatchObject({ constructor: CliError, code: 'NOT_AUTHENTICATED' })
+    })
+
+    it('returns the new Command so the consumer can chain', () => {
+        const { command } = buildCurrent()
+
+        expect(command.name()).toBe('current')
+    })
+})
+
+describe('attachAccountRemoveCommand', () => {
+    let logSpy: ReturnType<typeof vi.spyOn>
+
+    beforeEach(() => {
+        logSpy = vi.spyOn(console, 'log').mockImplementation(() => {})
+    })
+
+    afterEach(() => {
+        logSpy.mockRestore()
+    })
+
+    it('clears by the resolved id (not the raw ref) and flags the cleared default', async () => {
+        const built = buildStore()
+        const { program } = buildRemove({}, built.store)
+
+        // Invoked by email; the store clears by the canonical id it resolved to.
+        await program.parseAsync(['node', 'cli', 'account', 'remove', 'alice@b'])
+
+        expect(built.clearSpy).toHaveBeenCalledWith('1')
+        const emitted = logSpy.mock.calls.map((call: unknown[]) => call[0])
+        expect(emitted).toEqual(['✓ Removed Alice', 'Cleared default account.'])
+    })
+
+    it('omits the cleared-default line when the removed account was not the default', async () => {
+        const built = buildStore()
+        const { program } = buildRemove({}, built.store)
+
+        await program.parseAsync(['node', 'cli', 'account', 'remove', 'bob@b'])
+
+        expect(built.clearSpy).toHaveBeenCalledWith('2')
+        expect(logSpy).toHaveBeenCalledOnce()
+        expect(logSpy).toHaveBeenCalledWith('✓ Removed Bob')
+    })
+
+    it('throws ACCOUNT_NOT_FOUND and does not clear when the ref misses', async () => {
+        const built = buildStore()
+        const { program } = buildRemove({}, built.store)
+
+        await expect(
+            program.parseAsync(['node', 'cli', 'account', 'remove', 'ghost']),
+        ).rejects.toMatchObject({ constructor: CliError, code: 'ACCOUNT_NOT_FOUND' })
+        expect(built.clearSpy).not.toHaveBeenCalled()
+    })
+
+    it('emits { ok, removed } with the canonical id under --json', async () => {
+        const { program } = buildRemove()
+
+        await program.parseAsync(['node', 'cli', 'account', 'remove', 'bob@b', '--json'])
+
+        expect(logSpy).toHaveBeenCalledWith(formatJson({ ok: true, removed: '2' }))
+    })
+
+    it('is silent under --ndjson but still clears and runs onRemoved', async () => {
+        const built = buildStore()
+        const onRemoved = vi.fn()
+        const { program } = buildRemove({ onRemoved }, built.store)
+
+        await program.parseAsync(['node', 'cli', 'account', 'remove', 'bob@b', '--ndjson'])
+
+        expect(built.clearSpy).toHaveBeenCalledWith('2')
+        expect(logSpy).not.toHaveBeenCalled()
+        expect(onRemoved).toHaveBeenCalledOnce()
+    })
+
+    it('passes the removed account + wasDefault to renderText and onRemoved', async () => {
+        const renderText = vi.fn(() => 'gone')
+        const onRemoved = vi.fn()
+        const { program } = buildRemove({ renderText, onRemoved })
+
+        await program.parseAsync(['node', 'cli', 'account', 'remove', 'alice@b'])
+
+        const expectedCtx = {
+            account: a1,
+            ref: 'alice@b',
+            wasDefault: true,
+            view: { json: false, ndjson: false },
+            flags: {},
+        }
+        expect(renderText).toHaveBeenCalledWith(expectedCtx)
+        expect(onRemoved).toHaveBeenCalledWith(expectedCtx)
+        expect(logSpy).toHaveBeenCalledWith('gone')
+    })
+
+    it('returns the new Command so the consumer can chain', () => {
+        const { command } = buildRemove()
+
+        expect(command.name()).toBe('remove')
+    })
+})
diff --git a/src/auth/account.ts b/src/auth/account.ts
index 6d76811..86ca92b 100644
--- a/src/auth/account.ts
+++ b/src/auth/account.ts
@@ -1,8 +1,9 @@
 import type { Command } from 'commander'
 import { CliError } from '../errors.js'
-import { formatNdjson } from '../json.js'
+import { formatJson, formatNdjson } from '../json.js'
 import { type ViewOptions, emitView } from '../options.js'
 import type { AccountRef, AuthAccount, TokenStore } from './types.js'
+import { accountNotFoundError } from './user-flag.js'
 
 export type AttachAccountListContext<TAccount extends AuthAccount> = {
     /** Every stored account with its default marker, in store order. */
@@ -186,3 +187,197 @@ export function attachAccountUseCommand<TAccount extends AuthAccount = AuthAccou
             await options.onDefaultSet?.({ ref, view, flags })
         })
 }
+
+export type AttachAccountCurrentContext<TAccount extends AuthAccount> = {
+    /** The resolved active account. */
+    account: TAccount
+    /** Whether the active account is the store's effective default. */
+    isDefault: boolean
+    /** `--json` / `--ndjson` flag values, both present (defaulted to `false`). */
+    view: Required<ViewOptions>
+    /** Consumer-attached options. The registrar flags (`--json`, `--ndjson`) are stripped. */
+    flags: Record<string, unknown>
+}
+
+export type AttachAccountCurrentCommandOptions<TAccount extends AuthAccount = AuthAccount> = {
+    store: TokenStore<TAccount>
+    description?: string
+    /**
+     * Human-mode renderer. May return a single string or an array of lines;
+     * lines are joined with `\n` on output. Defaults to `<label ?? id> (id:<id>)`
+     * plus ` (default)` on the default account.
+     */
+    renderText?(ctx: AttachAccountCurrentContext<TAccount>): string | readonly string[]
+    /**
+     * Machine-mode payload, serialized as-is via `formatJson` / `formatNdjson`
+     * (identically across both modes). Defaults to `{ account, isDefault }`.
+     * Only invoked under `--json` / `--ndjson`. A non-serializable return
+     * throws `CliError('INVALID_TYPE', …)`.
+     */
+    renderJson?(ctx: {
+        account: TAccount
+        isDefault: boolean
+        flags: Record<string, unknown>
+    }): unknown
+    /**
+     * Called when `store.active()` resolves nothing. Default behaviour throws
+     * `CliError('NOT_AUTHENTICATED', …)`. Consumers with out-of-store credential
+     * sources (env var, legacy single-user creds) use this hook to render those
+     * cases — mirroring `attachStatusCommand`.
+     */
+    onNotAuthenticated?(ctx: {
+        view: Required<ViewOptions>
+        flags: Record<string, unknown>
+    }): void | Promise<void>
+}
+
+/**
+ * Attach `current` as a subcommand of `parent` (typically an `account` group).
+ * Reads the active credential via `store.active()` (no selector — the active
+ * account is whatever the store resolves by default), derives the `(default)`
+ * marker from `store.list()` keyed on `account.id` (so it stays identical to
+ * `account list`), then dispatches to `renderText` (human) or `renderJson`
+ * (machine). `--json` wins when both flags are present. When `store.active()`
+ * returns null it invokes `onNotAuthenticated` (or throws `NOT_AUTHENTICATED`).
+ * Returns the new `Command` so the consumer can chain.
+ */
+export function attachAccountCurrentCommand<TAccount extends AuthAccount = AuthAccount>(
+    parent: Command,
+    options: AttachAccountCurrentCommandOptions<TAccount>,
+): Command {
+    return parent
+        .command('current')
+        .description(options.description ?? 'Show the active account')
+        .option('--json', 'Emit machine-readable JSON output')
+        .option('--ndjson', 'Emit machine-readable NDJSON output')
+        .action(async (cmd: Record<string, unknown>) => {
+            const { view, flags } = splitViewFlags(cmd)
+            const snapshot = await options.store.active()
+            if (!snapshot) {
+                if (options.onNotAuthenticated) {
+                    await options.onNotAuthenticated({ view, flags })
+                    return
+                }
+                throw new CliError('NOT_AUTHENTICATED', 'Not signed in.')
+            }
+            const accounts = await options.store.list()
+            const isDefault = accounts.some(
+                (entry) => entry.account.id === snapshot.account.id && entry.isDefault,
+            )
+            if (view.json || view.ndjson) {
+                const payload = options.renderJson
+                    ? options.renderJson({ account: snapshot.account, isDefault, flags })
+                    : { account: snapshot.account, isDefault }
+                if (JSON.stringify(payload) === undefined) {
+                    throw new CliError(
+                        'INVALID_TYPE',
+                        `renderJson returned a non-serializable value for account "${snapshot.account.id}".`,
+                    )
+                }
+                console.log(view.json ? formatJson(payload) : formatNdjson([payload]))
+                return
+            }
+            const ctx: AttachAccountCurrentContext<TAccount> = {
+                account: snapshot.account,
+                isDefault,
+                view,
+                flags,
+            }
+            const text = options.renderText
+                ? options.renderText(ctx)
+                : `${snapshot.account.label ?? snapshot.account.id} (id:${snapshot.account.id})${
+                      isDefault ? ' (default)' : ''
+                  }`
+            const lines = typeof text === 'string' ? [text] : text
+            for (const line of lines) console.log(line)
+        })
+}
+
+export type AttachAccountRemoveContext<TAccount extends AuthAccount> = {
+    /** The account that was removed, resolved before `clear()`. */
+    account: TAccount
+    /** The raw `<ref>` positional the user typed. */
+    ref: AccountRef
+    /** Whether the removed account was the default before clearing. */
+    wasDefault: boolean
+    /** `--json` / `--ndjson` flag values, both present (defaulted to `false`). */
+    view: Required<ViewOptions>
+    /** Consumer-attached options. The registrar flags (`--json`, `--ndjson`) are stripped. */
+    flags: Record<string, unknown>
+}
+
+export type AttachAccountRemoveCommandOptions<TAccount extends AuthAccount = AuthAccount> = {
+    store: TokenStore<TAccount>
+    description?: string
+    /**
+     * Human-mode renderer over the removed account. Defaults to
+     * `✓ Removed <label ?? id>`, plus a `Cleared default account.` line when the
+     * removed account was the default. Consumers override to localise the
+     * wording (e.g. add a CLI-specific "set a new default" hint). Not called
+     * under `--json` / `--ndjson`.
+     */
+    renderText?(ctx: AttachAccountRemoveContext<TAccount>): string | readonly string[]
+    /**
+     * Fires after `clear()` resolves and the success line is emitted (in every
+     * output mode). Awaited. Use for store-specific follow-ups not on the
+     * `TokenStore` contract — e.g. surfacing a keyring-fallback warning to
+     * stderr.
+     */
+    onRemoved?(ctx: AttachAccountRemoveContext<TAccount>): void | Promise<void>
+}
+
+/**
+ * Attach `remove <ref>` as a subcommand of `parent` (typically an `account`
+ * group). Resolves `<ref>` via `store.active(ref)` (throwing
+ * `ACCOUNT_NOT_FOUND` on a miss), captures the default marker from
+ * `store.list()` before clearing, then calls `store.clear(account.id)` — always
+ * the resolved canonical id, never the raw ref, since `clear()` is keyed by id
+ * and silently no-ops on an email/label ref. `--json` emits
+ * `{ ok: true, removed: <id> }`; `--ndjson` is silent (success-action
+ * convention); `--json` wins when both are present. Returns the new `Command`
+ * so the consumer can chain.
+ */
+export function attachAccountRemoveCommand<TAccount extends AuthAccount = AuthAccount>(
+    parent: Command,
+    options: AttachAccountRemoveCommandOptions<TAccount>,
+): Command {
+    return parent
+        .command('remove')
+        .description(options.description ?? 'Remove a stored account')
+        .argument(
+            '<ref>',
+            'Account reference to remove (id, or a store-defined alias such as email)',
+        )
+        .option('--json', 'Emit machine-readable JSON output')
+        .option('--ndjson', 'Emit machine-readable NDJSON output')
+        .action(async (ref: string, cmd: Record<string, unknown>) => {
+            const { view, flags } = splitViewFlags(cmd)
+            const snapshot = await options.store.active(ref)
+            if (!snapshot) throw accountNotFoundError(ref)
+            const accounts = await options.store.list()
+            const wasDefault = accounts.some(
+                (entry) => entry.account.id === snapshot.account.id && entry.isDefault,
+            )
+            await options.store.clear(snapshot.account.id)
+            const ctx: AttachAccountRemoveContext<TAccount> = {
+                account: snapshot.account,
+                ref,
+                wasDefault,
+                view,
+                flags,
+            }
+            if (view.json) {
+                console.log(formatJson({ ok: true, removed: snapshot.account.id }))
+            } else if (!view.ndjson) {
+                const removedLine = `✓ Removed ${snapshot.account.label ?? snapshot.account.id}`
+                const text = options.renderText
+                    ? options.renderText(ctx)
+                    : wasDefault
+                      ? [removedLine, 'Cleared default account.']
+                      : removedLine
+                const lines = typeof text === 'string' ? [text] : text
+                for (const line of lines) console.log(line)
+            }
+            await options.onRemoved?.(ctx)
+        })
+}
diff --git a/src/auth/index.ts b/src/auth/index.ts
index 8193d1d..58b2b93 100644
--- a/src/auth/index.ts
+++ b/src/auth/index.ts
@@ -1,8 +1,17 @@
 export type { AuthErrorCode } from './errors.js'
-export { attachAccountListCommand, attachAccountUseCommand } from './account.js'
+export {
+    attachAccountCurrentCommand,
+    attachAccountListCommand,
+    attachAccountRemoveCommand,
+    attachAccountUseCommand,
+} from './account.js'
 export type {
+    AttachAccountCurrentCommandOptions,
+    AttachAccountCurrentContext,
     AttachAccountListCommandOptions,
     AttachAccountListContext,
+    AttachAccountRemoveCommandOptions,
+    AttachAccountRemoveContext,
     AttachAccountUseCommandOptions,
 } from './account.js'
 export { runOAuthFlow } from './flow.js'

From 9fc18aa1c818fe084903b4c8844f079ca60d7eff Mon Sep 17 00:00:00 2001
From: Scott Lovegrove <scott@ferretlabs.com>
Date: Sat, 23 May 2026 15:06:52 +0100
Subject: [PATCH 2/3] refactor(auth): address review on account current/remove
 attachers

- remove: resolve the target token-free by diffing `store.list()` around
  `store.clear(ref)` instead of `store.active(ref)`, so a broken/unreadable
  keyring entry can still be removed (active would throw AUTH_STORE_READ_FAILED).
- Extract shared `formatAccountLine` and `buildAccountPayload` helpers so list
  and current can't drift on rendering or INVALID_TYPE handling; the payload
  serializability probe now also catches throwing values (circular, BigInt).
- remove: reuse `emitView` for the json/ndjson/human split, matching `use`.
- current: build the render context once.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 README.md                |   2 +-
 src/auth/account.test.ts |  67 ++++++++++++++---
 src/auth/account.ts      | 151 ++++++++++++++++++++++-----------------
 3 files changed, 146 insertions(+), 74 deletions(-)

diff --git a/README.md b/README.md
index 1642291..f67b98f 100644
--- a/README.md
+++ b/README.md
@@ -300,7 +300,7 @@ attachAccountRemoveCommand<Account>(account, {
 
 `attachAccountCurrentCommand` is selector-less: it reads `store.active()` and derives the `(default)` marker from `store.list()` (keyed on `account.id`, identical to `account list`). `--json` / `--ndjson` emit `{ account, isDefault }` by default (override via `renderJson`, validated for serializability); human mode uses `renderText`. When `store.active()` resolves nothing it invokes `onNotAuthenticated({ view, flags })`, or throws `CliError('NOT_AUTHENTICATED', …)` when no hook is supplied — that hook is where consumers render out-of-store credential sources (an env-var token, legacy single-user creds).
 
-`attachAccountRemoveCommand` takes a positional `<ref>`, resolves it via `store.active(ref)` (a miss throws `CliError('ACCOUNT_NOT_FOUND', …)`), then clears by the resolved canonical `account.id` — never the raw ref, since `clear()` is keyed by id and would silently no-op on an email/label ref. `--json` emits `{ ok: true, removed: <id> }`; `--ndjson` is silent; human mode prints `✓ Removed <label ?? id>` plus a `Cleared default account.` line when the removed account was the default (override the whole human block via `renderText`). The optional `onRemoved` hook fires after the success line — use it for store-specific follow-ups not on the `TokenStore` contract (e.g. surfacing a keyring-fallback warning).
+`attachAccountRemoveCommand` takes a positional `<ref>` and resolves the target **token-free**: it snapshots `store.list()`, lets the store match + delete the ref via `store.clear(ref)`, then diffs the list to learn which account was removed. Routing through `clear(ref)` rather than `store.active(ref)` is deliberate — `clear` never reads the token, so a broken/unreadable keyring entry can still be removed, whereas `active(ref)` may throw `AUTH_STORE_READ_FAILED` and leave the entry impossible to clean up. A ref that matches nothing is a `clear` no-op and surfaces as `CliError('ACCOUNT_NOT_FOUND', …)`. `--json` emits `{ ok: true, removed: <id> }`; `--ndjson` is silent; human mode prints `✓ Removed <label ?? id>` plus a `Cleared default account.` line when the removed account was the default (override the whole human block via `renderText`). The optional `onRemoved` hook fires after the success line — use it for store-specific follow-ups not on the `TokenStore` contract (e.g. surfacing a keyring-fallback warning).
 
 #### Standard flag set
 
diff --git a/src/auth/account.test.ts b/src/auth/account.test.ts
index ed3825d..4796c71 100644
--- a/src/auth/account.test.ts
+++ b/src/auth/account.test.ts
@@ -58,7 +58,15 @@ function buildStore(initial: Entry[] = bothAccounts): {
                 : entries.find((entry) => matches(entry, ref))
         return target ? { token: `token-${target.account.id}`, account: target.account } : null
     })
-    const clearSpy = vi.fn(async (_ref?: string) => {})
+    // Token-free removal: match by id/email/label (or the default when no ref)
+    // and drop the entry, so a follow-up `list()` reflects the removal — this
+    // is what `attachAccountRemoveCommand` diffs against.
+    const clearSpy = vi.fn(async (ref?: string) => {
+        const idx = entries.findIndex((entry) =>
+            ref === undefined ? entry.isDefault : matches(entry, ref),
+        )
+        if (idx !== -1) entries.splice(idx, 1)
+    })
     const store: TokenStore<Account> = {
         active: activeSpy,
         set: vi.fn(),
@@ -544,6 +552,15 @@ describe('attachAccountCurrentCommand', () => {
         expect(logSpy).toHaveBeenCalledWith(formatNdjson([{ account: a1, isDefault: true }]))
     })
 
+    it('prefers --json over --ndjson when both flags are passed', async () => {
+        const { program } = buildCurrent()
+
+        await program.parseAsync(['node', 'cli', 'account', 'current', '--json', '--ndjson'])
+
+        expect(logSpy).toHaveBeenCalledOnce()
+        expect(logSpy).toHaveBeenCalledWith(formatJson({ account: a1, isDefault: true }))
+    })
+
     it('throws INVALID_TYPE in both machine modes when renderJson is non-serializable', async () => {
         const renderJson = vi.fn(() => undefined)
 
@@ -594,14 +611,15 @@ describe('attachAccountRemoveCommand', () => {
         logSpy.mockRestore()
     })
 
-    it('clears by the resolved id (not the raw ref) and flags the cleared default', async () => {
+    it('removes the matched account by ref and flags the cleared default', async () => {
         const built = buildStore()
         const { program } = buildRemove({}, built.store)
 
-        // Invoked by email; the store clears by the canonical id it resolved to.
+        // Invoked by email; the store matches + clears it token-free.
         await program.parseAsync(['node', 'cli', 'account', 'remove', 'alice@b'])
 
-        expect(built.clearSpy).toHaveBeenCalledWith('1')
+        expect(built.clearSpy).toHaveBeenCalledWith('alice@b')
+        expect(await built.store.list()).toEqual([{ account: a2, isDefault: false }])
         const emitted = logSpy.mock.calls.map((call: unknown[]) => call[0])
         expect(emitted).toEqual(['✓ Removed Alice', 'Cleared default account.'])
     })
@@ -612,19 +630,35 @@ describe('attachAccountRemoveCommand', () => {
 
         await program.parseAsync(['node', 'cli', 'account', 'remove', 'bob@b'])
 
-        expect(built.clearSpy).toHaveBeenCalledWith('2')
         expect(logSpy).toHaveBeenCalledOnce()
         expect(logSpy).toHaveBeenCalledWith('✓ Removed Bob')
     })
 
-    it('throws ACCOUNT_NOT_FOUND and does not clear when the ref misses', async () => {
+    it('throws ACCOUNT_NOT_FOUND and removes nothing when the ref misses', async () => {
         const built = buildStore()
         const { program } = buildRemove({}, built.store)
 
         await expect(
             program.parseAsync(['node', 'cli', 'account', 'remove', 'ghost']),
         ).rejects.toMatchObject({ constructor: CliError, code: 'ACCOUNT_NOT_FOUND' })
-        expect(built.clearSpy).not.toHaveBeenCalled()
+        expect(await built.store.list()).toHaveLength(2)
+    })
+
+    it('removes an account whose token is unreadable, never touching active()', async () => {
+        const built = buildStore()
+        // A broken keyring entry: `active()` would throw AUTH_STORE_READ_FAILED,
+        // but `remove` must still clear it. If the attacher called active() this
+        // would surface that error instead of removing the record.
+        built.store.active = vi.fn(async () => {
+            throw new CliError('AUTH_STORE_READ_FAILED', 'keyring offline')
+        })
+        const { program } = buildRemove({}, built.store)
+
+        await program.parseAsync(['node', 'cli', 'account', 'remove', 'alice@b'])
+
+        expect(built.store.active).not.toHaveBeenCalled()
+        expect(await built.store.list()).toEqual([{ account: a2, isDefault: false }])
+        expect(logSpy).toHaveBeenCalledWith('✓ Removed Alice')
     })
 
     it('emits { ok, removed } with the canonical id under --json', async () => {
@@ -635,6 +669,23 @@ describe('attachAccountRemoveCommand', () => {
         expect(logSpy).toHaveBeenCalledWith(formatJson({ ok: true, removed: '2' }))
     })
 
+    it('prefers --json over --ndjson when both flags are passed', async () => {
+        const { program } = buildRemove()
+
+        await program.parseAsync([
+            'node',
+            'cli',
+            'account',
+            'remove',
+            'bob@b',
+            '--json',
+            '--ndjson',
+        ])
+
+        expect(logSpy).toHaveBeenCalledOnce()
+        expect(logSpy).toHaveBeenCalledWith(formatJson({ ok: true, removed: '2' }))
+    })
+
     it('is silent under --ndjson but still clears and runs onRemoved', async () => {
         const built = buildStore()
         const onRemoved = vi.fn()
@@ -642,7 +693,7 @@ describe('attachAccountRemoveCommand', () => {
 
         await program.parseAsync(['node', 'cli', 'account', 'remove', 'bob@b', '--ndjson'])
 
-        expect(built.clearSpy).toHaveBeenCalledWith('2')
+        expect(await built.store.list()).toEqual([{ account: a1, isDefault: true }])
         expect(logSpy).not.toHaveBeenCalled()
         expect(onRemoved).toHaveBeenCalledOnce()
     })
diff --git a/src/auth/account.ts b/src/auth/account.ts
index 86ca92b..44f0dd0 100644
--- a/src/auth/account.ts
+++ b/src/auth/account.ts
@@ -65,14 +65,51 @@ function splitViewFlags(cmd: Record<string, unknown>): {
     return { view: { json: Boolean(json), ndjson: Boolean(ndjson) }, flags }
 }
 
+/** The canonical one-line human representation of an account, shared by `list` and `current`. */
+function formatAccountLine(account: AuthAccount, isDefault: boolean): string {
+    return `${account.label ?? account.id} (id:${account.id})${isDefault ? ' (default)' : ''}`
+}
+
+/**
+ * Build the machine-output payload for one account — `renderJson` when supplied,
+ * else the default `{ account, isDefault }` — and validate that it serializes,
+ * so `--json` and `--ndjson` fail identically on a non-serializable result
+ * (top-level `undefined`, a circular object, a `BigInt`, …) with a typed
+ * `CliError('INVALID_TYPE', …)` rather than a raw `TypeError` leaking out of
+ * `formatJson` / `formatNdjson`. Shared by `list` and `current` so the two
+ * can't drift on validation or error text.
+ */
+function buildAccountPayload<TAccount extends AuthAccount>(
+    ctx: { account: TAccount; isDefault: boolean; flags: Record<string, unknown> },
+    renderJson?: (input: {
+        account: TAccount
+        isDefault: boolean
+        flags: Record<string, unknown>
+    }) => unknown,
+): unknown {
+    const payload = renderJson
+        ? renderJson(ctx)
+        : { account: ctx.account, isDefault: ctx.isDefault }
+    let serializable: boolean
+    try {
+        serializable = JSON.stringify(payload) !== undefined
+    } catch {
+        serializable = false
+    }
+    if (!serializable) {
+        throw new CliError(
+            'INVALID_TYPE',
+            `renderJson returned a non-serializable value for account "${ctx.account.id}".`,
+        )
+    }
+    return payload
+}
+
 function defaultListText<TAccount extends AuthAccount>(
     ctx: AttachAccountListContext<TAccount>,
 ): string[] {
     if (ctx.accounts.length === 0) return ['No accounts stored.']
-    return ctx.accounts.map(({ account, isDefault }) => {
-        const name = account.label ?? account.id
-        return `${name} (id:${account.id})${isDefault ? ' (default)' : ''}`
-    })
+    return ctx.accounts.map(({ account, isDefault }) => formatAccountLine(account, isDefault))
 }
 
 /**
@@ -108,22 +145,11 @@ export function attachAccountListCommand<TAccount extends AuthAccount = AuthAcco
             // same way under `--json` and `--ndjson` (a raw `undefined` element
             // would otherwise serialize to `null` in the JSON array but throw
             // in NDJSON).
-            const toPayload = (entry: { account: TAccount; isDefault: boolean }) => {
-                const payload = options.renderJson
-                    ? options.renderJson({
-                          account: entry.account,
-                          isDefault: entry.isDefault,
-                          flags,
-                      })
-                    : { account: entry.account, isDefault: entry.isDefault }
-                if (JSON.stringify(payload) === undefined) {
-                    throw new CliError(
-                        'INVALID_TYPE',
-                        `renderJson returned a non-serializable value for account "${entry.account.id}".`,
-                    )
-                }
-                return payload
-            }
+            const toPayload = (entry: { account: TAccount; isDefault: boolean }) =>
+                buildAccountPayload(
+                    { account: entry.account, isDefault: entry.isDefault, flags },
+                    options.renderJson,
+                )
             // NDJSON streams one object per account; emit each line as it's
             // produced rather than buffering a joined string. `--json` wins when
             // both flags are set. Empty list → no lines (EOF-as-end-of-stream).
@@ -264,37 +290,30 @@ export function attachAccountCurrentCommand<TAccount extends AuthAccount = AuthA
             const isDefault = accounts.some(
                 (entry) => entry.account.id === snapshot.account.id && entry.isDefault,
             )
-            if (view.json || view.ndjson) {
-                const payload = options.renderJson
-                    ? options.renderJson({ account: snapshot.account, isDefault, flags })
-                    : { account: snapshot.account, isDefault }
-                if (JSON.stringify(payload) === undefined) {
-                    throw new CliError(
-                        'INVALID_TYPE',
-                        `renderJson returned a non-serializable value for account "${snapshot.account.id}".`,
-                    )
-                }
-                console.log(view.json ? formatJson(payload) : formatNdjson([payload]))
-                return
-            }
             const ctx: AttachAccountCurrentContext<TAccount> = {
                 account: snapshot.account,
                 isDefault,
                 view,
                 flags,
             }
+            if (view.json || view.ndjson) {
+                const payload = buildAccountPayload(
+                    { account: ctx.account, isDefault: ctx.isDefault, flags },
+                    options.renderJson,
+                )
+                console.log(view.json ? formatJson(payload) : formatNdjson([payload]))
+                return
+            }
             const text = options.renderText
                 ? options.renderText(ctx)
-                : `${snapshot.account.label ?? snapshot.account.id} (id:${snapshot.account.id})${
-                      isDefault ? ' (default)' : ''
-                  }`
+                : formatAccountLine(ctx.account, ctx.isDefault)
             const lines = typeof text === 'string' ? [text] : text
             for (const line of lines) console.log(line)
         })
 }
 
 export type AttachAccountRemoveContext<TAccount extends AuthAccount> = {
-    /** The account that was removed, resolved before `clear()`. */
+    /** The account that was removed, captured from `store.list()` before `clear()`. */
     account: TAccount
     /** The raw `<ref>` positional the user typed. */
     ref: AccountRef
@@ -328,14 +347,16 @@ export type AttachAccountRemoveCommandOptions<TAccount extends AuthAccount = Aut
 
 /**
  * Attach `remove <ref>` as a subcommand of `parent` (typically an `account`
- * group). Resolves `<ref>` via `store.active(ref)` (throwing
- * `ACCOUNT_NOT_FOUND` on a miss), captures the default marker from
- * `store.list()` before clearing, then calls `store.clear(account.id)` — always
- * the resolved canonical id, never the raw ref, since `clear()` is keyed by id
- * and silently no-ops on an email/label ref. `--json` emits
- * `{ ok: true, removed: <id> }`; `--ndjson` is silent (success-action
- * convention); `--json` wins when both are present. Returns the new `Command`
- * so the consumer can chain.
+ * group). Resolves the target token-free: it snapshots `store.list()`, lets the
+ * store match + delete the ref via `store.clear(ref)`, then diffs the list to
+ * learn which account was removed. Going through `clear(ref)` rather than
+ * `store.active(ref)` is deliberate — `clear` never reads the token, so a
+ * broken/unreadable keyring entry can still be removed, whereas `active` would
+ * throw `AUTH_STORE_READ_FAILED` and make the entry impossible to clean up. A
+ * ref that matches nothing is a `clear` no-op and surfaces as
+ * `ACCOUNT_NOT_FOUND`. `--json` emits `{ ok: true, removed: <id> }`; `--ndjson`
+ * is silent (success-action convention, matching `use`); `--json` wins when
+ * both are present. Returns the new `Command` so the consumer can chain.
  */
 export function attachAccountRemoveCommand<TAccount extends AuthAccount = AuthAccount>(
     parent: Command,
@@ -352,31 +373,31 @@ export function attachAccountRemoveCommand<TAccount extends AuthAccount = AuthAc
         .option('--ndjson', 'Emit machine-readable NDJSON output')
         .action(async (ref: string, cmd: Record<string, unknown>) => {
             const { view, flags } = splitViewFlags(cmd)
-            const snapshot = await options.store.active(ref)
-            if (!snapshot) throw accountNotFoundError(ref)
-            const accounts = await options.store.list()
-            const wasDefault = accounts.some(
-                (entry) => entry.account.id === snapshot.account.id && entry.isDefault,
-            )
-            await options.store.clear(snapshot.account.id)
+            const before = await options.store.list()
+            await options.store.clear(ref)
+            const remainingIds = new Set((await options.store.list()).map((e) => e.account.id))
+            const removed = before.find((entry) => !remainingIds.has(entry.account.id))
+            if (!removed) throw accountNotFoundError(ref)
             const ctx: AttachAccountRemoveContext<TAccount> = {
-                account: snapshot.account,
+                account: removed.account,
                 ref,
-                wasDefault,
+                wasDefault: removed.isDefault,
                 view,
                 flags,
             }
-            if (view.json) {
-                console.log(formatJson({ ok: true, removed: snapshot.account.id }))
-            } else if (!view.ndjson) {
-                const removedLine = `✓ Removed ${snapshot.account.label ?? snapshot.account.id}`
-                const text = options.renderText
-                    ? options.renderText(ctx)
-                    : wasDefault
-                      ? [removedLine, 'Cleared default account.']
-                      : removedLine
-                const lines = typeof text === 'string' ? [text] : text
-                for (const line of lines) console.log(line)
+            // `--json` emits the envelope; pure `--ndjson` is silent (success-
+            // action convention); human runs the thunk. The guard skips the
+            // silent case so `emitView`'s own `--ndjson` branch never fires.
+            if (view.json || !view.ndjson) {
+                emitView(view, { ok: true, removed: removed.account.id }, () => {
+                    const removedLine = `✓ Removed ${removed.account.label ?? removed.account.id}`
+                    const text = options.renderText
+                        ? options.renderText(ctx)
+                        : ctx.wasDefault
+                          ? [removedLine, 'Cleared default account.']
+                          : removedLine
+                    return typeof text === 'string' ? [text] : text
+                })
             }
             await options.onRemoved?.(ctx)
         })

From c49723c1c82f1e4bf48066a8cb9d14a5504e5743 Mon Sep 17 00:00:00 2001
From: Scott Lovegrove <scott@ferretlabs.com>
Date: Sat, 23 May 2026 15:43:05 +0100
Subject: [PATCH 3/3] refactor(auth): move account resolution into the
 TokenStore contract

Second-review follow-up.

- TokenStore.clear(ref) now returns the removed account + its prior
  effective-default bit (ClearedAccount), or null on a miss. Resolution +
  deletion happen atomically in the store, so `account remove` drops the racy
  before/after list() diff and the token-free guarantee is now contractual
  (a store can't satisfy clear() by reading the token).
- Add optional token-free TokenStore.activeAccount(ref) resolver; KeyringTokenStore
  implements it (required override). `account current` uses it so it no longer
  pays a token read plus a separate list() on every call.
- remove: drop the (default) marker copy that could falsely claim the default
  was cleared; the marker now states only what was removed.
- Tests: clear() return + activeAccount coverage on KeyringTokenStore; a
  serializer-throwing (BigInt) INVALID_TYPE case; onRemoved gated-promise
  ordering; current prefers activeAccount.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 README.md                            |  34 ++++-----
 src/auth/account.test.ts             |  78 ++++++++++++++-----
 src/auth/account.ts                  | 108 +++++++++++++++------------
 src/auth/flow.test.ts                |  13 +++-
 src/auth/index.ts                    |   1 +
 src/auth/keyring/token-store.test.ts |  63 ++++++++++++++++
 src/auth/keyring/token-store.ts      |  58 ++++++++++----
 src/auth/logout.test.ts              |   2 +-
 src/auth/persist.test.ts             |   2 +-
 src/auth/refresh.test.ts             |   4 +-
 src/auth/types.ts                    |  29 ++++++-
 11 files changed, 289 insertions(+), 103 deletions(-)

diff --git a/README.md b/README.md
index f67b98f..028412d 100644
--- a/README.md
+++ b/README.md
@@ -12,20 +12,20 @@ npm install @doist/cli-core
 
 ## What's in it
 
-| Module               | Key exports                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | Purpose                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `auth` (subpath)     | `attachLoginCommand`, `attachLogoutCommand`, `attachStatusCommand`, `attachTokenViewCommand`, `attachAccountListCommand`, `attachAccountUseCommand`, `attachAccountCurrentCommand`, `attachAccountRemoveCommand`, `runOAuthFlow`, `refreshAccessToken`, `createPkceProvider`, `createDcrProvider`, `createSecureStore`, `createKeyringTokenStore`, `migrateLegacyAuth`, `persistBundle`, `bundleFromExchange`, PKCE helpers, `AuthProvider` / `TokenStore` / `TokenBundle` / `ActiveBundleSnapshot` / `RefreshInput` / `AccountRef` / `SecureStore` / `UserRecordStore` types, `AttachLogoutRevokeContext` / `AttachAccountListContext` / `AttachAccountCurrentContext` / `AttachAccountRemoveContext` | OAuth runtime plus the Commander attachers for `<cli> [auth] login` / `logout` / `status` / `token` and `<cli> account list` / `use` / `current` / `remove`. `attachLogoutCommand` accepts an optional `revokeToken` hook for best-effort server-side token revocation. Ships the standard public-client PKCE flow (`createPkceProvider`), the RFC 7591 Dynamic Client Registration flow (`createDcrProvider`), a thin cross-platform OS-keyring wrapper (`createSecureStore`), and a multi-account keyring-backed `TokenStore` (`createKeyringTokenStore`) that stores secrets in the OS credential manager and degrades to plaintext in the consumer's config when the keyring is unavailable (WSL/headless Linux/containers). The store contract supports an optional `setBundle(account, bundle)` write method (required on `KeyringTokenStore`) so consumers that need refresh-token persistence can opt in via `TokenBundle`; `active()` stays narrow (access token + account only) so callers that don't need refresh state don't pay extra keyring IPC. `AuthProvider` and `TokenStore` remain the escape hatches for fully bespoke backends (device code, magic-link, …). `logout` / `status` / `token` always attach `--user <ref>` and thread the parsed ref to `store.active(ref)` (and `store.clear(ref)` on `logout`). `commander` (when using the attachers), `open` (browser launch), `@napi-rs/keyring` (when using `createSecureStore` or the keyring `TokenStore`), and `oauth4webapi` (when a consumer opts into silent refresh or uses `createDcrProvider`) are optional peer/optional deps. |
-| `commands` (subpath) | `registerChangelogCommand`, `registerUpdateCommand` (+ semver helpers)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Commander wiring for cli-core's standard commands (e.g. `<cli> changelog`, `<cli> update`, `<cli> update switch`). **Requires** `commander` as an optional peer-dep.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| `config`             | `getConfigPath`, `readConfig`, `readConfigStrict`, `writeConfig`, `updateConfig`, `CoreConfig`, `UpdateChannel`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | Read / write a per-CLI JSON config file with typed error codes; `CoreConfig` is the shape of fields cli-core itself owns (extend it for per-CLI fields).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
-| `empty`              | `printEmpty`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | Print an empty-state message gated on `--json` / `--ndjson` so machine consumers never see human strings on stdout.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
-| `errors`             | `CliError`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Typed CLI error class with `code` and exit-code mapping.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
-| `global-args`        | `parseGlobalArgs`, `stripUserFlag`, `createGlobalArgsStore`, `createAccessibleGate`, `createSpinnerGate`, `getProgressJsonlPath`, `isProgressJsonlEnabled`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Parse well-known global flags (`--json`, `--ndjson`, `--quiet`, `--verbose`, `--accessible`, `--no-spinner`, `--progress-jsonl`, `--user <ref>`) and derive predicates from them. `stripUserFlag` removes `--user` tokens from argv so the cleaned array can be forwarded to Commander when the flag has no root-program attachment.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| `json`               | `formatJson`, `formatNdjson`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | Stable JSON / newline-delimited JSON formatting for stdout.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| `markdown` (subpath) | `preloadMarkdown`, `renderMarkdown`, `TerminalRendererOptions`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Lazy-init terminal markdown renderer. **Requires** `marked` and `marked-terminal-renderer` as peer-deps — install only if your CLI uses this subpath.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| `options`            | `ViewOptions`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | Type contract for `{ json?, ndjson? }` per-command options that machine-output gates derive from.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| `spinner`            | `createSpinner`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | Loading spinner factory wrapping `yocto-spinner` with disable gates.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| `terminal`           | `isCI`, `isStderrTTY`, `isStdinTTY`, `isStdoutTTY`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | TTY / CI detection helpers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| `testing` (subpath)  | `describeEmptyMachineOutput`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | Vitest helpers reusable by consuming CLIs (e.g. parametrised empty-state suite covering `--json` / `--ndjson` / human modes).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
+| Module               | Key exports                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | Purpose                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
+| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `auth` (subpath)     | `attachLoginCommand`, `attachLogoutCommand`, `attachStatusCommand`, `attachTokenViewCommand`, `attachAccountListCommand`, `attachAccountUseCommand`, `attachAccountCurrentCommand`, `attachAccountRemoveCommand`, `runOAuthFlow`, `refreshAccessToken`, `createPkceProvider`, `createDcrProvider`, `createSecureStore`, `createKeyringTokenStore`, `migrateLegacyAuth`, `persistBundle`, `bundleFromExchange`, PKCE helpers, `AuthProvider` / `TokenStore` / `TokenBundle` / `ActiveBundleSnapshot` / `RefreshInput` / `AccountRef` / `ClearedAccount` / `SecureStore` / `UserRecordStore` types, `AttachLogoutRevokeContext` / `AttachAccountListContext` / `AttachAccountCurrentContext` / `AttachAccountRemoveContext` | OAuth runtime plus the Commander attachers for `<cli> [auth] login` / `logout` / `status` / `token` and `<cli> account list` / `use` / `current` / `remove`. `attachLogoutCommand` accepts an optional `revokeToken` hook for best-effort server-side token revocation. Ships the standard public-client PKCE flow (`createPkceProvider`), the RFC 7591 Dynamic Client Registration flow (`createDcrProvider`), a thin cross-platform OS-keyring wrapper (`createSecureStore`), and a multi-account keyring-backed `TokenStore` (`createKeyringTokenStore`) that stores secrets in the OS credential manager and degrades to plaintext in the consumer's config when the keyring is unavailable (WSL/headless Linux/containers). The store contract supports an optional `setBundle(account, bundle)` write method (required on `KeyringTokenStore`) so consumers that need refresh-token persistence can opt in via `TokenBundle`; `active()` stays narrow (access token + account only) so callers that don't need refresh state don't pay extra keyring IPC. `AuthProvider` and `TokenStore` remain the escape hatches for fully bespoke backends (device code, magic-link, …). `logout` / `status` / `token` always attach `--user <ref>` and thread the parsed ref to `store.active(ref)` (and `store.clear(ref)` on `logout`). `commander` (when using the attachers), `open` (browser launch), `@napi-rs/keyring` (when using `createSecureStore` or the keyring `TokenStore`), and `oauth4webapi` (when a consumer opts into silent refresh or uses `createDcrProvider`) are optional peer/optional deps. |
+| `commands` (subpath) | `registerChangelogCommand`, `registerUpdateCommand` (+ semver helpers)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | Commander wiring for cli-core's standard commands (e.g. `<cli> changelog`, `<cli> update`, `<cli> update switch`). **Requires** `commander` as an optional peer-dep.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| `config`             | `getConfigPath`, `readConfig`, `readConfigStrict`, `writeConfig`, `updateConfig`, `CoreConfig`, `UpdateChannel`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | Read / write a per-CLI JSON config file with typed error codes; `CoreConfig` is the shape of fields cli-core itself owns (extend it for per-CLI fields).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+| `empty`              | `printEmpty`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | Print an empty-state message gated on `--json` / `--ndjson` so machine consumers never see human strings on stdout.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
+| `errors`             | `CliError`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | Typed CLI error class with `code` and exit-code mapping.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+| `global-args`        | `parseGlobalArgs`, `stripUserFlag`, `createGlobalArgsStore`, `createAccessibleGate`, `createSpinnerGate`, `getProgressJsonlPath`, `isProgressJsonlEnabled`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | Parse well-known global flags (`--json`, `--ndjson`, `--quiet`, `--verbose`, `--accessible`, `--no-spinner`, `--progress-jsonl`, `--user <ref>`) and derive predicates from them. `stripUserFlag` removes `--user` tokens from argv so the cleaned array can be forwarded to Commander when the flag has no root-program attachment.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| `json`               | `formatJson`, `formatNdjson`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | Stable JSON / newline-delimited JSON formatting for stdout.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
+| `markdown` (subpath) | `preloadMarkdown`, `renderMarkdown`, `TerminalRendererOptions`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | Lazy-init terminal markdown renderer. **Requires** `marked` and `marked-terminal-renderer` as peer-deps — install only if your CLI uses this subpath.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
+| `options`            | `ViewOptions`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Type contract for `{ json?, ndjson? }` per-command options that machine-output gates derive from.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
+| `spinner`            | `createSpinner`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | Loading spinner factory wrapping `yocto-spinner` with disable gates.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| `terminal`           | `isCI`, `isStderrTTY`, `isStdinTTY`, `isStdoutTTY`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | TTY / CI detection helpers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
+| `testing` (subpath)  | `describeEmptyMachineOutput`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | Vitest helpers reusable by consuming CLIs (e.g. parametrised empty-state suite covering `--json` / `--ndjson` / human modes).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
 
 ## Usage
 
@@ -252,7 +252,7 @@ Both attachers strip the standard `--json` / `--ndjson` / `--user` registrar fla
 
 #### Account selection (`account list` / `use` / `current` / `remove`)
 
-For multi-account CLIs, `attachAccountListCommand`, `attachAccountUseCommand`, `attachAccountCurrentCommand`, and `attachAccountRemoveCommand` wire `account list`, `account use <ref>`, `account current`, and `account remove <ref>` against the `TokenStore.list()` / `setDefault()` / `active()` / `clear()` contract. Attach them to an `account` parent command — the same registrar shape as the auth siblings.
+For multi-account CLIs, `attachAccountListCommand`, `attachAccountUseCommand`, `attachAccountCurrentCommand`, and `attachAccountRemoveCommand` wire `account list`, `account use <ref>`, `account current`, and `account remove <ref>` against the `TokenStore` contract (`list()` / `setDefault()` / `clear()` / `active()` / the optional token-free `activeAccount()`). Attach them to an `account` parent command — the same registrar shape as the auth siblings.
 
 ```ts
 import {
@@ -298,9 +298,9 @@ attachAccountRemoveCommand<Account>(account, {
 
 `attachAccountUseCommand` takes a positional `<ref>`, calls `store.setDefault(ref)` (a ref miss propagates `CliError('ACCOUNT_NOT_FOUND', …)`), then emits `✓ Default account set to <ref>` (human) or `{ "ok": true, "default": <id> }` (`--json`, silent under `--ndjson`). The `--json` `default` is the resolved account's canonical `id` (re-read from `store.list()` after the write) so it round-trips against what `account list --json` reports for the same account; the human line echoes the raw `<ref>` you typed. The optional `onDefaultSet({ ref, view, flags })` hook fires after the success line for CLI-specific follow-ups.
 
-`attachAccountCurrentCommand` is selector-less: it reads `store.active()` and derives the `(default)` marker from `store.list()` (keyed on `account.id`, identical to `account list`). `--json` / `--ndjson` emit `{ account, isDefault }` by default (override via `renderJson`, validated for serializability); human mode uses `renderText`. When `store.active()` resolves nothing it invokes `onNotAuthenticated({ view, flags })`, or throws `CliError('NOT_AUTHENTICATED', …)` when no hook is supplied — that hook is where consumers render out-of-store credential sources (an env-var token, legacy single-user creds).
+`attachAccountCurrentCommand` is selector-less: it resolves the active account token-free via `store.activeAccount()` when the store implements it (falling back to `store.active()` + `store.list()`), so the `(default)` marker matches `account list` without paying a token read this command never uses. `--json` / `--ndjson` emit `{ account, isDefault }` by default (override via `renderJson`, validated for serializability); human mode uses `renderText`. When nothing resolves it invokes `onNotAuthenticated({ view, flags })`, or throws `CliError('NOT_AUTHENTICATED', …)` when no hook is supplied — that hook is where consumers render out-of-store credential sources (an env-var token, legacy single-user creds).
 
-`attachAccountRemoveCommand` takes a positional `<ref>` and resolves the target **token-free**: it snapshots `store.list()`, lets the store match + delete the ref via `store.clear(ref)`, then diffs the list to learn which account was removed. Routing through `clear(ref)` rather than `store.active(ref)` is deliberate — `clear` never reads the token, so a broken/unreadable keyring entry can still be removed, whereas `active(ref)` may throw `AUTH_STORE_READ_FAILED` and leave the entry impossible to clean up. A ref that matches nothing is a `clear` no-op and surfaces as `CliError('ACCOUNT_NOT_FOUND', …)`. `--json` emits `{ ok: true, removed: <id> }`; `--ndjson` is silent; human mode prints `✓ Removed <label ?? id>` plus a `Cleared default account.` line when the removed account was the default (override the whole human block via `renderText`). The optional `onRemoved` hook fires after the success line — use it for store-specific follow-ups not on the `TokenStore` contract (e.g. surfacing a keyring-fallback warning).
+`attachAccountRemoveCommand` takes a positional `<ref>` and delegates resolution + deletion to `store.clear(ref)`, which the contract defines as token-free and atomic: it returns the removed account (plus whether it was the effective default) or `null` when `ref` matched nothing. Routing everything through `clear` means a broken/unreadable keyring entry stays removable (no token read, unlike `active(ref)` which may throw `AUTH_STORE_READ_FAILED`), and the store — not the attacher — owns ref-matching, so there's no before/after `list()` diff to race a concurrent mutation. A `null` return surfaces as `CliError('ACCOUNT_NOT_FOUND', …)`. `--json` emits `{ ok: true, removed: <id> }`; `--ndjson` is silent; human mode prints `✓ Removed <label ?? id>` with a ` (default)` marker when the removed account was the default — the marker states only what _was_ removed, not whether a survivor is now the implicit default (override the whole human block via `renderText`). The optional `onRemoved` hook fires after the success line — use it for store-specific follow-ups not on the `TokenStore` contract (e.g. surfacing a keyring-fallback warning).
 
 #### Standard flag set
 
diff --git a/src/auth/account.test.ts b/src/auth/account.test.ts
index 4796c71..5dcb832 100644
--- a/src/auth/account.test.ts
+++ b/src/auth/account.test.ts
@@ -58,15 +58,20 @@ function buildStore(initial: Entry[] = bothAccounts): {
                 : entries.find((entry) => matches(entry, ref))
         return target ? { token: `token-${target.account.id}`, account: target.account } : null
     })
-    // Token-free removal: match by id/email/label (or the default when no ref)
-    // and drop the entry, so a follow-up `list()` reflects the removal — this
-    // is what `attachAccountRemoveCommand` diffs against.
-    const clearSpy = vi.fn(async (ref?: string) => {
-        const idx = entries.findIndex((entry) =>
-            ref === undefined ? entry.isDefault : matches(entry, ref),
-        )
-        if (idx !== -1) entries.splice(idx, 1)
-    })
+    // Token-free removal: match by id/email/label (or the default when no ref),
+    // drop the entry, and report the removed account + its prior default bit —
+    // mirroring the `TokenStore.clear` contract `attachAccountRemoveCommand`
+    // relies on. Returns `null` on a miss (no-op).
+    const clearSpy = vi.fn(
+        async (ref?: string): Promise<{ account: Account; wasDefault: boolean } | null> => {
+            const idx = entries.findIndex((entry) =>
+                ref === undefined ? entry.isDefault : matches(entry, ref),
+            )
+            if (idx === -1) return null
+            const [removed] = entries.splice(idx, 1)
+            return { account: removed.account, wasDefault: removed.isDefault }
+        },
+    )
     const store: TokenStore<Account> = {
         active: activeSpy,
         set: vi.fn(),
@@ -561,9 +566,14 @@ describe('attachAccountCurrentCommand', () => {
         expect(logSpy).toHaveBeenCalledWith(formatJson({ account: a1, isDefault: true }))
     })
 
-    it('throws INVALID_TYPE in both machine modes when renderJson is non-serializable', async () => {
-        const renderJson = vi.fn(() => undefined)
-
+    // Covers both non-serializable shapes: a top-level `undefined`
+    // (`JSON.stringify` returns `undefined`) and a value that makes
+    // `JSON.stringify` *throw* (a `BigInt`). Both must surface as INVALID_TYPE
+    // in either machine mode rather than leaking a raw TypeError.
+    it.each([
+        ['top-level undefined', () => undefined],
+        ['a throwing BigInt', () => ({ count: 1n })],
+    ])('throws INVALID_TYPE in both machine modes for %s', async (_label, renderJson) => {
         for (const mode of ['--json', '--ndjson'] as const) {
             const { program } = buildCurrent({ renderJson })
             await expect(
@@ -593,6 +603,19 @@ describe('attachAccountCurrentCommand', () => {
         ).rejects.toMatchObject({ constructor: CliError, code: 'NOT_AUTHENTICATED' })
     })
 
+    it('prefers store.activeAccount over active() + list() when implemented', async () => {
+        const built = buildStore()
+        built.store.activeAccount = vi.fn(async () => ({ account: a2, isDefault: false }))
+        const { program } = buildCurrent({}, built.store)
+
+        await program.parseAsync(['node', 'cli', 'account', 'current'])
+
+        expect(built.store.activeAccount).toHaveBeenCalledOnce()
+        expect(built.activeSpy).not.toHaveBeenCalled()
+        expect(built.listSpy).not.toHaveBeenCalled()
+        expect(logSpy).toHaveBeenCalledWith('Bob (id:2)')
+    })
+
     it('returns the new Command so the consumer can chain', () => {
         const { command } = buildCurrent()
 
@@ -611,7 +634,7 @@ describe('attachAccountRemoveCommand', () => {
         logSpy.mockRestore()
     })
 
-    it('removes the matched account by ref and flags the cleared default', async () => {
+    it('removes the matched account by ref and marks it as the former default', async () => {
         const built = buildStore()
         const { program } = buildRemove({}, built.store)
 
@@ -620,11 +643,11 @@ describe('attachAccountRemoveCommand', () => {
 
         expect(built.clearSpy).toHaveBeenCalledWith('alice@b')
         expect(await built.store.list()).toEqual([{ account: a2, isDefault: false }])
-        const emitted = logSpy.mock.calls.map((call: unknown[]) => call[0])
-        expect(emitted).toEqual(['✓ Removed Alice', 'Cleared default account.'])
+        expect(logSpy).toHaveBeenCalledOnce()
+        expect(logSpy).toHaveBeenCalledWith('✓ Removed Alice (default)')
     })
 
-    it('omits the cleared-default line when the removed account was not the default', async () => {
+    it('omits the (default) marker when the removed account was not the default', async () => {
         const built = buildStore()
         const { program } = buildRemove({}, built.store)
 
@@ -658,7 +681,7 @@ describe('attachAccountRemoveCommand', () => {
 
         expect(built.store.active).not.toHaveBeenCalled()
         expect(await built.store.list()).toEqual([{ account: a2, isDefault: false }])
-        expect(logSpy).toHaveBeenCalledWith('✓ Removed Alice')
+        expect(logSpy).toHaveBeenCalledWith('✓ Removed Alice (default)')
     })
 
     it('emits { ok, removed } with the canonical id under --json', async () => {
@@ -717,6 +740,27 @@ describe('attachAccountRemoveCommand', () => {
         expect(logSpy).toHaveBeenCalledWith('gone')
     })
 
+    it('emits the success line before awaiting onRemoved', async () => {
+        let releaseHook!: () => void
+        const hookGate = new Promise<void>((resolve) => {
+            releaseHook = resolve
+        })
+        const onRemoved = vi.fn(() => hookGate)
+        const { program } = buildRemove({ onRemoved })
+
+        const parsed = program
+            .parseAsync(['node', 'cli', 'account', 'remove', 'bob@b'])
+            .then(() => 'done')
+        await vi.waitFor(() => expect(onRemoved).toHaveBeenCalled())
+
+        // Success line is already out, but the command is still parked on the hook.
+        expect(logSpy).toHaveBeenCalledWith('✓ Removed Bob')
+        expect(await Promise.race([parsed, Promise.resolve('pending')])).toBe('pending')
+
+        releaseHook()
+        expect(await parsed).toBe('done')
+    })
+
     it('returns the new Command so the consumer can chain', () => {
         const { command } = buildRemove()
 
diff --git a/src/auth/account.ts b/src/auth/account.ts
index 44f0dd0..b22eb4b 100644
--- a/src/auth/account.ts
+++ b/src/auth/account.ts
@@ -105,6 +105,26 @@ function buildAccountPayload<TAccount extends AuthAccount>(
     return payload
 }
 
+/**
+ * Resolve the active account plus its effective-default status. Prefers the
+ * store's token-free `activeAccount` resolver (a single metadata read); falls
+ * back to `active()` + `list()` for stores that don't implement it.
+ */
+async function resolveActiveAccount<TAccount extends AuthAccount>(
+    store: TokenStore<TAccount>,
+): Promise<{ account: TAccount; isDefault: boolean } | null> {
+    if (store.activeAccount) return store.activeAccount()
+    const snapshot = await store.active()
+    if (!snapshot) return null
+    const accounts = await store.list()
+    return {
+        account: snapshot.account,
+        isDefault: accounts.some(
+            (entry) => entry.account.id === snapshot.account.id && entry.isDefault,
+        ),
+    }
+}
+
 function defaultListText<TAccount extends AuthAccount>(
     ctx: AttachAccountListContext<TAccount>,
 ): string[] {
@@ -246,10 +266,10 @@ export type AttachAccountCurrentCommandOptions<TAccount extends AuthAccount = Au
         flags: Record<string, unknown>
     }): unknown
     /**
-     * Called when `store.active()` resolves nothing. Default behaviour throws
-     * `CliError('NOT_AUTHENTICATED', …)`. Consumers with out-of-store credential
-     * sources (env var, legacy single-user creds) use this hook to render those
-     * cases — mirroring `attachStatusCommand`.
+     * Called when nothing resolves as the active account. Default behaviour
+     * throws `CliError('NOT_AUTHENTICATED', …)`. Consumers with out-of-store
+     * credential sources (env var, legacy single-user creds) use this hook to
+     * render those cases — mirroring `attachStatusCommand`.
      */
     onNotAuthenticated?(ctx: {
         view: Required<ViewOptions>
@@ -259,13 +279,14 @@ export type AttachAccountCurrentCommandOptions<TAccount extends AuthAccount = Au
 
 /**
  * Attach `current` as a subcommand of `parent` (typically an `account` group).
- * Reads the active credential via `store.active()` (no selector — the active
- * account is whatever the store resolves by default), derives the `(default)`
- * marker from `store.list()` keyed on `account.id` (so it stays identical to
- * `account list`), then dispatches to `renderText` (human) or `renderJson`
- * (machine). `--json` wins when both flags are present. When `store.active()`
- * returns null it invokes `onNotAuthenticated` (or throws `NOT_AUTHENTICATED`).
- * Returns the new `Command` so the consumer can chain.
+ * Resolves the active account token-free via `store.activeAccount()` when the
+ * store implements it (falling back to `store.active()` + `store.list()`), so
+ * the `(default)` marker stays identical to `account list` without paying a
+ * token read this command never uses. No selector — the active account is
+ * whatever the store resolves by default. Dispatches to `renderText` (human) or
+ * `renderJson` (machine); `--json` wins when both flags are present. When
+ * nothing resolves it invokes `onNotAuthenticated` (or throws
+ * `NOT_AUTHENTICATED`). Returns the new `Command` so the consumer can chain.
  */
 export function attachAccountCurrentCommand<TAccount extends AuthAccount = AuthAccount>(
     parent: Command,
@@ -278,21 +299,17 @@ export function attachAccountCurrentCommand<TAccount extends AuthAccount = AuthA
         .option('--ndjson', 'Emit machine-readable NDJSON output')
         .action(async (cmd: Record<string, unknown>) => {
             const { view, flags } = splitViewFlags(cmd)
-            const snapshot = await options.store.active()
-            if (!snapshot) {
+            const resolved = await resolveActiveAccount(options.store)
+            if (!resolved) {
                 if (options.onNotAuthenticated) {
                     await options.onNotAuthenticated({ view, flags })
                     return
                 }
                 throw new CliError('NOT_AUTHENTICATED', 'Not signed in.')
             }
-            const accounts = await options.store.list()
-            const isDefault = accounts.some(
-                (entry) => entry.account.id === snapshot.account.id && entry.isDefault,
-            )
             const ctx: AttachAccountCurrentContext<TAccount> = {
-                account: snapshot.account,
-                isDefault,
+                account: resolved.account,
+                isDefault: resolved.isDefault,
                 view,
                 flags,
             }
@@ -313,7 +330,7 @@ export function attachAccountCurrentCommand<TAccount extends AuthAccount = AuthA
 }
 
 export type AttachAccountRemoveContext<TAccount extends AuthAccount> = {
-    /** The account that was removed, captured from `store.list()` before `clear()`. */
+    /** The account that was removed, as reported by `store.clear()`. */
     account: TAccount
     /** The raw `<ref>` positional the user typed. */
     ref: AccountRef
@@ -330,10 +347,11 @@ export type AttachAccountRemoveCommandOptions<TAccount extends AuthAccount = Aut
     description?: string
     /**
      * Human-mode renderer over the removed account. Defaults to
-     * `✓ Removed <label ?? id>`, plus a `Cleared default account.` line when the
-     * removed account was the default. Consumers override to localise the
-     * wording (e.g. add a CLI-specific "set a new default" hint). Not called
-     * under `--json` / `--ndjson`.
+     * `✓ Removed <label ?? id>`, with a ` (default)` marker when the removed
+     * account was the default (the marker only states what *was* removed — it
+     * makes no claim about whether a survivor is now the implicit default).
+     * Consumers override to localise the wording (e.g. add a CLI-specific "set a
+     * new default" hint). Not called under `--json` / `--ndjson`.
      */
     renderText?(ctx: AttachAccountRemoveContext<TAccount>): string | readonly string[]
     /**
@@ -347,16 +365,16 @@ export type AttachAccountRemoveCommandOptions<TAccount extends AuthAccount = Aut
 
 /**
  * Attach `remove <ref>` as a subcommand of `parent` (typically an `account`
- * group). Resolves the target token-free: it snapshots `store.list()`, lets the
- * store match + delete the ref via `store.clear(ref)`, then diffs the list to
- * learn which account was removed. Going through `clear(ref)` rather than
- * `store.active(ref)` is deliberate — `clear` never reads the token, so a
- * broken/unreadable keyring entry can still be removed, whereas `active` would
- * throw `AUTH_STORE_READ_FAILED` and make the entry impossible to clean up. A
- * ref that matches nothing is a `clear` no-op and surfaces as
- * `ACCOUNT_NOT_FOUND`. `--json` emits `{ ok: true, removed: <id> }`; `--ndjson`
- * is silent (success-action convention, matching `use`); `--json` wins when
- * both are present. Returns the new `Command` so the consumer can chain.
+ * group). Delegates resolution + deletion to `store.clear(ref)`, which the
+ * contract defines as token-free and atomic: it returns the removed account
+ * (plus whether it was the effective default) or `null` when `ref` matched
+ * nothing. Routing everything through `clear` means a broken/unreadable keyring
+ * entry stays removable (no token read), and the store — not the attacher —
+ * owns ref-matching, so there's no before/after `list()` diff to race against a
+ * concurrent mutation. A `null` return surfaces as `ACCOUNT_NOT_FOUND`.
+ * `--json` emits `{ ok: true, removed: <id> }`; `--ndjson` is silent
+ * (success-action convention, matching `use`); `--json` wins when both are
+ * present. Returns the new `Command` so the consumer can chain.
  */
 export function attachAccountRemoveCommand<TAccount extends AuthAccount = AuthAccount>(
     parent: Command,
@@ -373,15 +391,12 @@ export function attachAccountRemoveCommand<TAccount extends AuthAccount = AuthAc
         .option('--ndjson', 'Emit machine-readable NDJSON output')
         .action(async (ref: string, cmd: Record<string, unknown>) => {
             const { view, flags } = splitViewFlags(cmd)
-            const before = await options.store.list()
-            await options.store.clear(ref)
-            const remainingIds = new Set((await options.store.list()).map((e) => e.account.id))
-            const removed = before.find((entry) => !remainingIds.has(entry.account.id))
-            if (!removed) throw accountNotFoundError(ref)
+            const cleared = await options.store.clear(ref)
+            if (!cleared) throw accountNotFoundError(ref)
             const ctx: AttachAccountRemoveContext<TAccount> = {
-                account: removed.account,
+                account: cleared.account,
                 ref,
-                wasDefault: removed.isDefault,
+                wasDefault: cleared.wasDefault,
                 view,
                 flags,
             }
@@ -389,13 +404,10 @@ export function attachAccountRemoveCommand<TAccount extends AuthAccount = AuthAc
             // action convention); human runs the thunk. The guard skips the
             // silent case so `emitView`'s own `--ndjson` branch never fires.
             if (view.json || !view.ndjson) {
-                emitView(view, { ok: true, removed: removed.account.id }, () => {
-                    const removedLine = `✓ Removed ${removed.account.label ?? removed.account.id}`
-                    const text = options.renderText
-                        ? options.renderText(ctx)
-                        : ctx.wasDefault
-                          ? [removedLine, 'Cleared default account.']
-                          : removedLine
+                emitView(view, { ok: true, removed: cleared.account.id }, () => {
+                    const name = cleared.account.label ?? cleared.account.id
+                    const removedLine = `✓ Removed ${name}${ctx.wasDefault ? ' (default)' : ''}`
+                    const text = options.renderText ? options.renderText(ctx) : removedLine
                     return typeof text === 'string' ? [text] : text
                 })
             }
diff --git a/src/auth/flow.test.ts b/src/auth/flow.test.ts
index 1d37bf5..8122f90 100644
--- a/src/auth/flow.test.ts
+++ b/src/auth/flow.test.ts
@@ -38,6 +38,7 @@ function fakeStore(): TokenStore<Account> & { last?: { account: Account; token:
         },
         async clear() {
             state.last = undefined
+            return null
         },
         async list() {
             return state.last ? [{ account: state.last.account, isDefault: true }] : []
@@ -375,7 +376,9 @@ describe('runOAuthFlow', () => {
             },
             set,
             setBundle,
-            async clear() {},
+            async clear() {
+                return null
+            },
             async list() {
                 return []
             },
@@ -418,7 +421,9 @@ describe('runOAuthFlow', () => {
                 return null
             },
             set,
-            async clear() {},
+            async clear() {
+                return null
+            },
             async list() {
                 return []
             },
@@ -450,7 +455,9 @@ describe('runOAuthFlow', () => {
             async set() {
                 throw new Error('disk full')
             },
-            async clear() {},
+            async clear() {
+                return null
+            },
             async list() {
                 return []
             },
diff --git a/src/auth/index.ts b/src/auth/index.ts
index 58b2b93..109badc 100644
--- a/src/auth/index.ts
+++ b/src/auth/index.ts
@@ -54,6 +54,7 @@ export type {
     AuthorizeInput,
     AuthorizeResult,
     AuthProvider,
+    ClearedAccount,
     ExchangeInput,
     ExchangeResult,
     PrepareInput,
diff --git a/src/auth/keyring/token-store.test.ts b/src/auth/keyring/token-store.test.ts
index 4e04975..616addf 100644
--- a/src/auth/keyring/token-store.test.ts
+++ b/src/auth/keyring/token-store.test.ts
@@ -396,6 +396,69 @@ describe('createKeyringTokenStore', () => {
                 account: { id: '1' },
             })
         })
+
+        it('clear(ref) returns the removed account with its prior default bit', async () => {
+            const { store, state } = multiUserFixture()
+            state.defaultId = '1'
+
+            await expect(store.clear('2')).resolves.toMatchObject({
+                account: { id: '2' },
+                wasDefault: false,
+            })
+            await expect(store.clear('1')).resolves.toMatchObject({
+                account: { id: '1' },
+                wasDefault: true,
+            })
+        })
+
+        it('clear(ref) returns null on a miss', async () => {
+            const { store } = multiUserFixture()
+            await expect(store.clear('does-not-exist')).resolves.toBeNull()
+        })
+
+        it('clear(ref) removes a record whose token slot is unreadable (token-free)', async () => {
+            const { store, state } = multiUserFixture()
+            // user-3 has neither a keyring slot nor a fallbackToken, so reading
+            // its token fails — but removal must not depend on that read.
+            state.records.set('3', { account: { id: '3', label: 'carol', email: 'e@f' } })
+
+            await expect(store.active('3')).rejects.toMatchObject({
+                code: 'AUTH_STORE_READ_FAILED',
+            })
+            await expect(store.clear('3')).resolves.toMatchObject({ account: { id: '3' } })
+            expect(state.records.has('3')).toBe(false)
+        })
+    })
+
+    describe('activeAccount() (token-free resolution)', () => {
+        const a: Account = { id: '1', label: 'a', email: 'a@b' }
+        const b: Account = { id: '2', label: 'b', email: 'c@d' }
+
+        it('resolves the active + ref account with its default bit, never reading the token slot', async () => {
+            const { store, keyring } = fixture({
+                records: { '1': { account: a }, '2': { account: b } },
+                defaultId: '2',
+            })
+
+            await expect(store.activeAccount()).resolves.toEqual({ account: b, isDefault: true })
+            await expect(store.activeAccount('1')).resolves.toEqual({
+                account: a,
+                isDefault: false,
+            })
+            expect(keyring.getSpy).not.toHaveBeenCalled()
+        })
+
+        it('returns null when no records are stored', async () => {
+            const { store } = fixture()
+            await expect(store.activeAccount()).resolves.toBeNull()
+        })
+
+        it('throws NO_ACCOUNT_SELECTED when multiple records exist with no default', async () => {
+            const { store } = fixture({ records: { '1': { account: a }, '2': { account: b } } })
+            await expect(store.activeAccount()).rejects.toMatchObject({
+                code: 'NO_ACCOUNT_SELECTED',
+            })
+        })
     })
 
     describe('list() + setDefault()', () => {
diff --git a/src/auth/keyring/token-store.ts b/src/auth/keyring/token-store.ts
index a8cc5c4..600207c 100644
--- a/src/auth/keyring/token-store.ts
+++ b/src/auth/keyring/token-store.ts
@@ -63,6 +63,12 @@ export type KeyringTokenStore<TAccount extends AuthAccount> = TokenStore<TAccoun
      * (`refreshAccessToken`) call it without a non-null assertion.
      */
     activeBundle(ref?: AccountRef): Promise<ActiveBundleSnapshot<TAccount> | null>
+    /**
+     * Override `activeAccount` as required (not optional) — the keyring store
+     * always resolves the active account token-free, so cli-core's `current`
+     * attacher can rely on it instead of the `active()` + `list()` fallback.
+     */
+    activeAccount(ref?: AccountRef): Promise<{ account: TAccount; isDefault: boolean } | null>
     /** Storage result from the most recent `set()` / `setBundle()` call, or `undefined` before any (and reset to `undefined` when the most recent write threw). */
     getLastStorageResult(): TokenStorageResult | undefined
     /** Storage result from the most recent `clear()` call, or `undefined` before any (and reset to `undefined` when the most recent `clear()` threw or was a no-op). */
@@ -184,6 +190,21 @@ export function createKeyringTokenStore<TAccount extends AuthAccount>(
         )
     }
 
+    /**
+     * The record `active()` / `list()` treat as the default: the pinned default
+     * when it resolves to a stored record, else the sole record. `null` when
+     * nothing resolves (no records, or several with no pin). Wraps
+     * `resolveTarget`'s `NO_ACCOUNT_SELECTED` throw into `null` — callers here
+     * want the effective marker, not the ambiguity error.
+     */
+    function effectiveDefault(snapshot: Snapshot): UserRecord<TAccount> | null {
+        try {
+            return resolveTarget(snapshot, undefined)
+        } catch {
+            return null
+        }
+    }
+
     function fallbackResult(action: string): TokenStorageResult {
         return {
             storage: 'config-file',
@@ -349,7 +370,12 @@ export function createKeyringTokenStore<TAccount extends AuthAccount>(
             // even on the explicit-ref path.
             const snapshot = await readFullSnapshot()
             const record = resolveTarget(snapshot, ref)
-            if (!record) return
+            if (!record) return null
+
+            // Captured before the removal so the reported marker reflects the
+            // pre-clear state (an implicit default among the survivors is a
+            // separate post-clear fact the caller can describe how it likes).
+            const wasDefault = effectiveDefault(snapshot)?.account.id === record.account.id
 
             await userRecords.remove(record.account.id)
 
@@ -380,22 +406,28 @@ export function createKeyringTokenStore<TAccount extends AuthAccount>(
                 record.fallbackToken !== undefined ||
                 record.fallbackRefreshToken !== undefined
             lastClearResult = fellBack ? fallbackClear : { storage: 'secure-store' }
+            return { account: record.account, wasDefault }
         },
 
-        async list() {
+        async activeAccount(ref) {
+            // Metadata-only resolution: read the record store (records +
+            // pinned default) but never the token slot, so `account current`
+            // pays a single record-store round-trip instead of `active()`'s
+            // token IPC plus a separate `list()`.
             const snapshot = await readFullSnapshot()
-            // Use `resolveTarget` to compute the *effective* default so the
-            // `isDefault` markers match what `active()` would resolve — that
-            // includes the implicit single-record case. `resolveTarget` can
-            // throw `NO_ACCOUNT_SELECTED`, which we want to swallow here
-            // (listing accounts is a diagnostic operation that must work
-            // even when no default is pinned).
-            let implicitDefault: UserRecord<TAccount> | null = null
-            try {
-                implicitDefault = resolveTarget(snapshot, undefined)
-            } catch {
-                // multiple records, no default → `isDefault: false` for all
+            const record = resolveTarget(snapshot, ref)
+            if (!record) return null
+            return {
+                account: record.account,
+                isDefault: effectiveDefault(snapshot)?.account.id === record.account.id,
             }
+        },
+
+        async list() {
+            const snapshot = await readFullSnapshot()
+            // The effective default matches what `active()` would resolve —
+            // including the implicit single-record case.
+            const implicitDefault = effectiveDefault(snapshot)
             return snapshot.records.map((record) => ({
                 account: record.account,
                 isDefault: record.account.id === implicitDefault?.account.id,
diff --git a/src/auth/logout.test.ts b/src/auth/logout.test.ts
index d16c060..67890c6 100644
--- a/src/auth/logout.test.ts
+++ b/src/auth/logout.test.ts
@@ -19,7 +19,7 @@ function buildStore(
     clearSpy: ReturnType<typeof vi.fn>
 } {
     const activeSpy = vi.fn(async () => initial)
-    const clearSpy = vi.fn(async () => undefined)
+    const clearSpy = vi.fn(async () => null)
     const store: TokenStore<Account> = {
         active: activeSpy,
         set: vi.fn(),
diff --git a/src/auth/persist.test.ts b/src/auth/persist.test.ts
index 8144a3c..91faa91 100644
--- a/src/auth/persist.test.ts
+++ b/src/auth/persist.test.ts
@@ -17,7 +17,7 @@ function fakeStore(overrides: Partial<TokenStore<Account>> = {}): TokenStore<Acc
     return {
         active: vi.fn(async () => null),
         set: vi.fn(async () => undefined),
-        clear: vi.fn(async () => undefined),
+        clear: vi.fn(async () => null),
         list: vi.fn(async () => []),
         setDefault: vi.fn(async () => undefined),
         ...overrides,
diff --git a/src/auth/refresh.test.ts b/src/auth/refresh.test.ts
index 32b3aea..eb22c1a 100644
--- a/src/auth/refresh.test.ts
+++ b/src/auth/refresh.test.ts
@@ -61,7 +61,9 @@ function fakeStore(
         activeBundle: state.activeBundleSpy as unknown as TokenStore<Account>['activeBundle'],
         async set() {},
         setBundle: state.setBundleSpy as unknown as TokenStore<Account>['setBundle'],
-        async clear() {},
+        async clear() {
+            return null
+        },
         async list() {
             return []
         },
diff --git a/src/auth/types.ts b/src/auth/types.ts
index 7379be9..15d047d 100644
--- a/src/auth/types.ts
+++ b/src/auth/types.ts
@@ -99,6 +99,16 @@ export type ActiveBundleSnapshot<TAccount extends AuthAccount = AuthAccount> = {
 /** Opaque account selector. Stores own the matching rule (id, email, label, …). */
 export type AccountRef = string
 
+/**
+ * Outcome of a successful `clear()`: the account that was removed plus whether
+ * it was the effective default before removal. `clear()` returns `null` instead
+ * when `ref` matched nothing.
+ */
+export type ClearedAccount<TAccount extends AuthAccount = AuthAccount> = {
+    account: TAccount
+    wasDefault: boolean
+}
+
 /**
  * Persistent token + account storage. Uniformly multi-user-shaped — single-user
  * stores implement `list` / `setDefault` against their one stored account (see
@@ -115,6 +125,15 @@ export type TokenStore<TAccount extends AuthAccount = AuthAccount> = {
      * and `attachTokenViewCommand` propagate it.
      */
     active(ref?: AccountRef): Promise<{ token: string; account: TAccount } | null>
+    /**
+     * Token-free resolution of the active account (or the `ref` target) plus its
+     * effective-default status, in a single metadata read — no token-slot IPC.
+     * Optional: cli-core's `account current` falls back to `active()` + `list()`
+     * when a store doesn't implement it. Returns `null` on no match.
+     * `KeyringTokenStore` implements it so `current` doesn't pay a token read it
+     * never uses.
+     */
+    activeAccount?(ref?: AccountRef): Promise<{ account: TAccount; isDefault: boolean } | null>
     /** Persist `token` for `account`, replacing any previous entry. Throw `CliError` for typed failures; other thrown values become `AUTH_STORE_WRITE_FAILED`. */
     set(account: TAccount, token: string): Promise<void>
     /**
@@ -141,8 +160,14 @@ export type TokenStore<TAccount extends AuthAccount = AuthAccount> = {
      * record exists).
      */
     activeBundle?(ref?: AccountRef): Promise<ActiveBundleSnapshot<TAccount> | null>
-    /** Remove a stored credential. No-op when `ref` doesn't match. */
-    clear(ref?: AccountRef): Promise<void>
+    /**
+     * Remove a stored credential **without reading the token** — a record whose
+     * secret is unreadable (e.g. keyring offline) must still be removable.
+     * Resolves + deletes in one step and returns the removed account plus
+     * whether it was the effective default before removal, or `null` when `ref`
+     * matched nothing (no-op). Throw `CliError` for typed failures.
+     */
+    clear(ref?: AccountRef): Promise<ClearedAccount<TAccount> | null>
     /** Every stored account with a default marker. */
     list(): Promise<ReadonlyArray<{ account: TAccount; isDefault: boolean }>>
     /** Mark `ref` as the new default. Throw `CliError('ACCOUNT_NOT_FOUND', …)` on miss. */