fix: address remaining v1.2.4 review follow-ups

Author: ndycode

docs/releases/v1.2.4.md

@@ -25,7 +25,7 @@ This patch release follows the already-published `v1.2.3` rebuild and lands the
 - `npm run typecheck`
 - `npm run build`
 - `npm test`
-- Full suite passed: `222/222` files, `3303/3303` tests
+- Full suite passed: `222/222` files, `3307/3307` tests
 
 ## Related
 

lib/unified-settings.ts

@@ -98,24 +98,34 @@ async function readSettingsRecordAsyncFromPath(
  * Best-effort backup reader for sync callers.
  *
  * Backup corruption is treated as an unavailable backup so callers can keep
- * their legacy null-on-unavailable behavior.
+ * their legacy null-on-unavailable behavior, but unreadable or locked backups
+ * still surface so writers do not rebuild from `{}` over a transient failure.
  */
 function readSettingsBackupSync(): JsonRecord | null {
 	try {
 		return readSettingsRecordSyncFromPath(UNIFIED_SETTINGS_BACKUP_PATH);
-	} catch {
-		return null;
+	} catch (error) {
+		if (isInvalidSettingsRecordError(error)) {
+			return null;
+		}
+		throw error;
 	}
 }
 
 /**
  * Best-effort backup reader for async callers.
+ *
+ * Like the sync variant, only corrupt backups are collapsed to `null`.
+ * Unreadable or locked backups are rethrown so callers can fail closed.
  */
 async function readSettingsBackupAsync(): Promise<JsonRecord | null> {
 	try {
 		return await readSettingsRecordAsyncFromPath(UNIFIED_SETTINGS_BACKUP_PATH);
-	} catch {
-		return null;
+	} catch (error) {
+		if (isInvalidSettingsRecordError(error)) {
+			return null;
+		}
+		throw error;
 	}
 }
 

scripts/codex.js

@@ -233,9 +233,25 @@ function maybeThrowSimulatedShadowHomeBusyError() {
 	}
 }
 
-function renameFileWithRetry(sourcePath, destinationPath) {
+function ensureShadowHomeDestinationMatchesSnapshot(destinationPath, expectedState) {
+	if (!expectedState) {
+		return;
+	}
+	const currentState = captureShadowHomeState(destinationPath);
+	if (!shadowHomeStateMatches(currentState, expectedState)) {
+		const error = new Error("shadow-home destination changed during sync-back retry");
+		error.code = "EEXIST";
+		throw error;
+	}
+}
+
+function renameFileWithRetry(sourcePath, destinationPath, expectedDestinationState) {
 	for (let attempt = 0; attempt <= SHADOW_HOME_CLEANUP_BACKOFF_MS.length; attempt += 1) {
 		try {
+			ensureShadowHomeDestinationMatchesSnapshot(
+				destinationPath,
+				expectedDestinationState,
+			);
 			maybeThrowSimulatedShadowHomeBusyError();
 			renameSync(sourcePath, destinationPath);
 			return;
@@ -532,15 +548,19 @@ function shadowHomeStateMatches(left, right) {
 	);
 }
 
-function syncShadowHomeStateFile(sourcePath, destinationPath) {
+function syncShadowHomeStateFile(
+	sourcePath,
+	destinationPath,
+	expectedDestinationState,
+) {
 	const tempPath = join(
 		dirname(destinationPath),
 		`.${basename(destinationPath)}.codex-multi-auth-sync-${process.pid}.tmp`,
 	);
 	try {
 		mkdirSync(dirname(destinationPath), { recursive: true });
 		copyFileSync(sourcePath, tempPath);
-		renameFileWithRetry(tempPath, destinationPath);
+		renameFileWithRetry(tempPath, destinationPath, expectedDestinationState);
 	} catch (error) {
 		try {
 			rmSync(tempPath, { force: true });
@@ -662,7 +682,7 @@ function createCompatibilityCodexHome(
 				if (shadowHomeStateMatches(shadowState, originalSnapshot)) {
 					continue;
 				}
-				syncShadowHomeStateFile(shadowPath, originalPath);
+				syncShadowHomeStateFile(shadowPath, originalPath, originalSnapshot);
 				tightenShadowHomePermissions(originalPath);
 			} catch {
 				// Best-effort only; runtime auth refreshes should not fail cleanup.

test/codex-bin-wrapper.test.ts

@@ -536,6 +536,70 @@ describe("codex bin wrapper", () => {
 		expect(readFileSync(join(originalHome, ".codex-global-state.json"), "utf8").trim()).toBe('{"last":"shadow"}');
 	});
 
+	it("does not clobber sync-back files that change during rename retry backoff", () => {
+		const fixtureRoot = createWrapperFixture();
+		const fakeBin = createCustomFakeCodexBin(fixtureRoot, [
+			"#!/usr/bin/env node",
+			'const { spawn } = require("node:child_process");',
+			'const fs = require("node:fs");',
+			'const path = require("node:path");',
+			'const home = process.env.CODEX_HOME ?? "";',
+			'const originalHome = process.env.CODEX_MULTI_AUTH_TEST_EXTERNAL_HOME ?? "";',
+			'fs.writeFileSync(path.join(home, "auth.json"), \'{"token":"shadow"}\\n\', "utf8");',
+			'fs.writeFileSync(path.join(home, "accounts.json"), \'{"accounts":["shadow"]}\\n\', "utf8");',
+			'fs.writeFileSync(path.join(home, ".codex-global-state.json"), \'{"last":"shadow"}\\n\', "utf8");',
+			"if (originalHome) {",
+			"  const mutateScript = [",
+			'    \'const fs = require("node:fs");\',',
+			'    \'const path = require("node:path");\',',
+			'    \'const target = process.argv[1];\',',
+			'    \'setTimeout(() => {\',',
+			'    \'  fs.writeFileSync(path.join(target, \"accounts.json\"), \"{\\\\\"accounts\\\\\":[\\\\\"external-during-retry\\\\\"]}\\\\n\", \"utf8\");\',',
+			'    \'  fs.writeFileSync(path.join(target, \".codex-global-state.json\"), \"{\\\\\"last\\\\\":\\\\\"external-during-retry\\\\\"}\\\\n\", \"utf8\");\',',
+			'    \'  process.exit(0);\',',
+			'    \'}, 40);\',',
+			"  ].join(\"\\n\");",
+			"  const mutator = spawn(process.execPath, [\"-e\", mutateScript, originalHome], {",
+			"    detached: true,",
+			'    stdio: "ignore",',
+			"  });",
+			"  mutator.unref();",
+			"}",
+			"process.exit(0);",
+		]);
+		const originalHome = join(fixtureRoot, "codex-home");
+		const controlledTmp = join(fixtureRoot, "tmp");
+		mkdirSync(originalHome, { recursive: true });
+		mkdirSync(controlledTmp, { recursive: true });
+		writeFileSync(join(originalHome, "auth.json"), '{"token":"original"}\n', "utf8");
+		writeFileSync(join(originalHome, "accounts.json"), '{"accounts":["original"]}\n', "utf8");
+		writeFileSync(join(originalHome, ".codex-global-state.json"), '{"last":"original"}\n', "utf8");
+		writeFileSync(join(originalHome, "config.toml"), 'model_reasoning_effort = "xhigh"\n', "utf8");
+
+		const result = runWrapper(
+			fixtureRoot,
+			["exec", "status", "--model", "gpt-5.1"],
+			{
+				CODEX_MULTI_AUTH_REAL_CODEX_BIN: fakeBin,
+				CODEX_HOME: originalHome,
+				CODEX_MULTI_AUTH_TEST_EXTERNAL_HOME: originalHome,
+				TMP: controlledTmp,
+				TEMP: controlledTmp,
+				TMPDIR: controlledTmp,
+				...injectShadowCleanupBusyFailures(3),
+			},
+		);
+
+		expect(result.status).toBe(0);
+		expect(readFileSync(join(originalHome, "auth.json"), "utf8").trim()).toBe('{"token":"shadow"}');
+		expect(readFileSync(join(originalHome, "accounts.json"), "utf8").trim()).toBe(
+			'{"accounts":["external-during-retry"]}',
+		);
+		expect(
+			readFileSync(join(originalHome, ".codex-global-state.json"), "utf8").trim(),
+		).toBe('{"last":"external-during-retry"}');
+	});
+
 	it("rewrites unquoted config reasoning effort values for mini compatibility models", () => {
 		const fixtureRoot = createWrapperFixture();
 		const fakeBin = createCustomFakeCodexBin(fixtureRoot, [

test/index.test.ts

@@ -4643,6 +4643,141 @@ describe("OpenAIOAuthPlugin runtime toast forwarding", () => {
 		expect(fallbackCancelSpy).toHaveBeenCalledTimes(1);
 	});
 
+	it("records capability failure once for non-429 stream failover fallback errors", async () => {
+		const { AccountManager } = await import("../lib/accounts.js");
+		const { CapabilityPolicyStore } = await import("../lib/capability-policy.js");
+		const fetchHelpersModule = await import("../lib/request/fetch-helpers.js");
+		const streamFailoverModule = await import("../lib/request/stream-failover.js");
+		const currentAccount = {
+			index: 0,
+			accountId: "acc-1",
+			email: "alpha@example.com",
+			refreshToken: "refresh-1",
+			accessToken: "access-alpha",
+		};
+		const fallbackAccount = {
+			index: 1,
+			accountId: "acc-2",
+			email: "beta@example.com",
+			refreshToken: "refresh-2",
+			accessToken: "access-beta",
+		};
+		const recordFailure = vi.fn();
+		const saveToDiskDebounced = vi.fn();
+		const capabilityFailureSpy = vi.spyOn(
+			CapabilityPolicyStore.prototype,
+			"recordFailure",
+		);
+		const pendingFailovers: Array<Promise<unknown>> = [];
+		const fallbackErrorResponse = new Response(
+			new ReadableStream({
+				start(controller) {
+					controller.enqueue(new TextEncoder().encode("server error"));
+					controller.close();
+				},
+			}),
+			{ status: 500 },
+		);
+		const manager = {
+			getAccountCount: () => 2,
+			getCurrentOrNextForFamilyHybrid: () => currentAccount,
+			getCurrentOrNextForFamily: () => currentAccount,
+			getCurrentWorkspace: () => null,
+			getAccountByIndex: (index: number) =>
+				index === fallbackAccount.index ? fallbackAccount : currentAccount,
+			getAccountsSnapshot: () => [currentAccount, fallbackAccount],
+			isAccountAvailableForFamily: (index: number) => index === fallbackAccount.index,
+			toAuthDetails: (account: typeof currentAccount | typeof fallbackAccount) => ({
+				type: "oauth" as const,
+				access: account.accessToken,
+				refresh: account.refreshToken,
+				expires: Date.now() + 60_000,
+			}),
+			hasRefreshToken: () => true,
+			saveToDiskDebounced,
+			updateFromAuth: () => {},
+			clearAuthFailures: () => {},
+			incrementAuthFailures: () => 1,
+			saveToDisk: async () => {},
+			markAccountCoolingDown: () => {},
+			markRateLimited: () => {},
+			markRateLimitedWithReason: () => {},
+			consumeToken: () => true,
+			refundToken: () => {},
+			syncCodexCliActiveSelectionForIndex: async () => {},
+			markSwitched: () => {},
+			removeAccount: () => {},
+			recordFailure,
+			recordSuccess: () => {},
+			recordRateLimit: () => {},
+			getMinWaitTimeForFamily: () => 0,
+			shouldShowAccountToast: () => false,
+			markToastShown: () => {},
+			setActiveIndex: () => null,
+		};
+		vi.spyOn(AccountManager, "loadFromDisk").mockResolvedValueOnce(manager as never);
+		vi.mocked(fetchHelpersModule.handleErrorResponse).mockImplementation(
+			async (response: Response) =>
+				({
+					response,
+					errorBody: "server error",
+				}) as never,
+		);
+		vi.mocked(fetchHelpersModule.transformRequestForCodex).mockImplementation(
+			async (init, _url, _userConfig, _codexMode, body) => ({
+				updatedInit: {
+					...(init as RequestInit),
+					body: JSON.stringify(body ?? {}),
+				},
+				body: (body ?? {
+					model: "gpt-5.1",
+					stream: true,
+				}) as {
+					model: string;
+					stream?: boolean;
+				},
+			}),
+		);
+		vi.spyOn(streamFailoverModule, "withStreamingFailover").mockImplementation(
+			(initialResponse, getFallbackResponse) => {
+				pendingFailovers.push(getFallbackResponse(1, 0));
+				return initialResponse;
+			},
+		);
+		let fetchCount = 0;
+		globalThis.fetch = vi.fn().mockImplementation(async () => {
+			fetchCount += 1;
+			if (fetchCount === 1) {
+				return new Response("data: ok\n\n", { status: 200 });
+			}
+			return fallbackErrorResponse;
+		});
+
+		const mockClient = createMockClient();
+		const { OpenAIOAuthPlugin } = await import("../index.js");
+		const plugin = await OpenAIOAuthPlugin({ client: mockClient } as never) as unknown as PluginType;
+		const sdk = await plugin.auth.loader(getOAuthAuth, { options: {}, models: {} });
+		const response = await sdk.fetch!("https://api.openai.com/v1/chat/completions", {
+			method: "POST",
+			body: JSON.stringify({ model: "gpt-5.1", stream: true }),
+		});
+		await Promise.all(pendingFailovers);
+
+		expect(response.status).toBe(200);
+		expect(recordFailure).toHaveBeenCalledTimes(1);
+		expect(recordFailure).toHaveBeenCalledWith(
+			fallbackAccount,
+			"gpt-5.1",
+			"gpt-5.1",
+		);
+		expect(capabilityFailureSpy).toHaveBeenCalledTimes(1);
+		expect(capabilityFailureSpy.mock.calls[0]?.[0]).toMatch(
+			/^account:acc-2::email:/,
+		);
+		expect(capabilityFailureSpy.mock.calls[0]?.[1]).toBe("gpt-5.1");
+		expect(saveToDiskDebounced).not.toHaveBeenCalled();
+	});
+
 	it("forwards persistence error toast arguments through manual OAuth flow", async () => {
 		const authModule = await import("../lib/auth/auth.js");
 		const storageModule = await import("../lib/storage.js");