fix-report-live-token-freshness-handling

Author: ndycode

lib/codex-manager.ts

@@ -3224,6 +3224,7 @@ export async function runCodexMultiAuthCli(rawArgs: string[]): Promise<number> {
 			loadAccounts,
 			saveAccounts,
 			resolveActiveIndex,
+			hasUsableAccessToken,
 			queuedRefresh,
 			fetchCodexQuotaSnapshot,
 			formatRateLimitEntry,

lib/codex-manager/commands/report.ts

@@ -58,6 +58,10 @@ export interface ReportCommandDeps {
 	loadAccounts: () => Promise<AccountStorageV3 | null>;
 	saveAccounts: (storage: AccountStorageV3) => Promise<void>;
 	resolveActiveIndex: (storage: AccountStorageV3, family?: "codex") => number;
+	hasUsableAccessToken: (
+		account: Pick<AccountMetadataV3, "accessToken" | "expiresAt">,
+		now: number,
+	) => boolean;
 	queuedRefresh: (refreshToken: string) => Promise<TokenResult>;
 	fetchCodexQuotaSnapshot: (input: {
 		accountId: string;
@@ -362,73 +366,79 @@ export async function runReportCommand(
 			const account = storage.accounts[i];
 			if (!account || account.enabled === false) continue;
 
-			const refreshResult = await deps.queuedRefresh(account.refreshToken);
-			if (refreshResult.type !== "success") {
-				refreshFailures.set(i, {
-					...refreshResult,
-					message: deps.normalizeFailureDetail(
-						refreshResult.message,
-						refreshResult.reason,
-					),
-				});
-				continue;
-			}
-
-			const refreshedEmail = sanitizeEmail(
-				extractAccountEmail(refreshResult.access, refreshResult.idToken),
-			);
-			const tokenDerivedAccountId = extractAccountId(refreshResult.access);
-			const refreshedAccountId = account.accountId ?? tokenDerivedAccountId;
-			const previousRefreshToken = account.refreshToken;
-			const previousAccessToken = account.accessToken;
-			const previousExpiresAt = account.expiresAt;
-			const previousEmail = account.email;
-			const previousAccountId = account.accountId;
-			const refreshPatch: RefreshedAccountPatch = {
-				refreshToken: refreshResult.refresh,
-				accessToken: refreshResult.access,
-				expiresAt: refreshResult.expires,
-			};
-			if (refreshedEmail) {
-				refreshPatch.email = refreshedEmail;
-			}
-			if (tokenDerivedAccountId) {
-				refreshPatch.accountId = tokenDerivedAccountId;
-				refreshPatch.accountIdSource = "token";
-			}
-			const accountMatch: AccountIdentityMatch = {
-				refreshToken: previousRefreshToken,
-				email: previousEmail,
-				accountId: previousAccountId,
-			};
-			applyRefreshedAccountPatch(account, refreshPatch);
-			if (
-				previousRefreshToken !== refreshPatch.refreshToken ||
-				previousAccessToken !== refreshPatch.accessToken ||
-				previousExpiresAt !== refreshPatch.expiresAt ||
-				previousEmail !== account.email ||
-				previousAccountId !== account.accountId
-			) {
-				try {
-					await persistRefreshedAccountPatch(
-						storage,
-						accountMatch,
-						refreshPatch,
-						deps.loadAccounts,
-						deps.saveAccounts,
-					);
-				} catch (error) {
-					const message = deps.normalizeFailureDetail(
-						error instanceof Error ? error.message : String(error),
-						undefined,
-					);
-					probeErrors.push(`${formatAccountLabel(account, i)}: ${message}`);
+			let probeAccessToken = account.accessToken;
+			let probeAccountId =
+				account.accountId ?? extractAccountId(account.accessToken);
+			if (!deps.hasUsableAccessToken(account, now)) {
+				const refreshResult = await deps.queuedRefresh(account.refreshToken);
+				if (refreshResult.type !== "success") {
+					refreshFailures.set(i, {
+						...refreshResult,
+						message: deps.normalizeFailureDetail(
+							refreshResult.message,
+							refreshResult.reason,
+						),
+					});
 					continue;
 				}
+
+				const refreshedEmail = sanitizeEmail(
+					extractAccountEmail(refreshResult.access, refreshResult.idToken),
+				);
+				const tokenDerivedAccountId = extractAccountId(refreshResult.access);
+				const refreshedAccountId = account.accountId ?? tokenDerivedAccountId;
+				const previousRefreshToken = account.refreshToken;
+				const previousAccessToken = account.accessToken;
+				const previousExpiresAt = account.expiresAt;
+				const previousEmail = account.email;
+				const previousAccountId = account.accountId;
+				const refreshPatch: RefreshedAccountPatch = {
+					refreshToken: refreshResult.refresh,
+					accessToken: refreshResult.access,
+					expiresAt: refreshResult.expires,
+				};
+				if (refreshedEmail) {
+					refreshPatch.email = refreshedEmail;
+				}
+				if (tokenDerivedAccountId) {
+					refreshPatch.accountId = tokenDerivedAccountId;
+					refreshPatch.accountIdSource = "token";
+				}
+				const accountMatch: AccountIdentityMatch = {
+					refreshToken: previousRefreshToken,
+					email: previousEmail,
+					accountId: previousAccountId,
+				};
+				applyRefreshedAccountPatch(account, refreshPatch);
+				probeAccessToken = refreshResult.access;
+				probeAccountId = account.accountId ?? refreshedAccountId;
+				if (
+					previousRefreshToken !== refreshPatch.refreshToken ||
+					previousAccessToken !== refreshPatch.accessToken ||
+					previousExpiresAt !== refreshPatch.expiresAt ||
+					previousEmail !== account.email ||
+					previousAccountId !== account.accountId
+				) {
+					try {
+						await persistRefreshedAccountPatch(
+							storage,
+							accountMatch,
+							refreshPatch,
+							deps.loadAccounts,
+							deps.saveAccounts,
+						);
+					} catch (error) {
+						const message = deps.normalizeFailureDetail(
+							error instanceof Error ? error.message : String(error),
+							undefined,
+						);
+						probeErrors.push(`${formatAccountLabel(account, i)}: ${message}`);
+						continue;
+					}
+				}
 			}
 
-			const accountId = account.accountId ?? refreshedAccountId;
-			if (!accountId) {
+			if (!probeAccessToken || !probeAccountId) {
 				probeErrors.push(
 					`${formatAccountLabel(account, i)}: missing accountId for live probe`,
 				);
@@ -437,8 +447,8 @@ export async function runReportCommand(
 
 			try {
 				const liveQuota = await deps.fetchCodexQuotaSnapshot({
-					accountId,
-					accessToken: refreshResult.access,
+					accountId: probeAccountId,
+					accessToken: probeAccessToken,
 					model: modelInspection.normalized,
 				});
 				liveQuotaByIndex.set(i, liveQuota);

lib/runtime/account-pool.ts

@@ -161,7 +161,7 @@ export async function persistAccountPoolResults(params: {
 				refreshToken: result.refresh,
 				accessToken: result.access,
 				expiresAt: result.expires,
-				lastUsed: now,
+				lastUsed: existing.lastUsed ?? now,
 				workspaces: mergedWorkspaces,
 				currentWorkspaceIndex: nextCurrentWorkspaceIndex,
 			};

test/account-pool.test.ts

@@ -52,4 +52,60 @@ describe("account pool helper", () => {
 			activeIndexByFamily: { codex: 0 },
 		});
 	});
+
+	it("preserves lastUsed when updating an existing account", async () => {
+		const persist = vi.fn(async () => undefined);
+		const originalLastUsed = 456;
+
+		await persistAccountPoolResults({
+			results: [
+				{
+					type: "success",
+					access: "access-token-next",
+					refresh: "refresh-token",
+					expires: 999,
+				},
+			],
+			replaceAll: false,
+			modelFamilies: ["codex"],
+			withAccountStorageTransaction: async (handler) =>
+				handler(
+					{
+						version: 3,
+						activeIndex: 0,
+						activeIndexByFamily: { codex: 0 },
+						accounts: [
+							{
+								accountId: "acct_1",
+								email: "user@example.com",
+								refreshToken: "refresh-token",
+								accessToken: "access-token-old",
+								expiresAt: 123,
+								addedAt: 111,
+								lastUsed: originalLastUsed,
+								enabled: true,
+							},
+						],
+					},
+					persist,
+				),
+			findMatchingAccountIndex: () => 0,
+			extractAccountId: () => "acct_1",
+			extractAccountEmail: () => "user@example.com",
+			sanitizeEmail: (email) => email,
+		});
+
+		expect(persist).toHaveBeenCalledWith(
+			expect.objectContaining({
+				accounts: [
+					expect.objectContaining({
+						refreshToken: "refresh-token",
+						accessToken: "access-token-next",
+						expiresAt: 999,
+						lastUsed: originalLastUsed,
+					}),
+				],
+			}),
+		);
+	});
 });

test/codex-manager-report-command.test.ts

@@ -35,6 +35,7 @@ function createDeps(
 		loadAccounts: vi.fn(async () => createStorage()),
 		saveAccounts: vi.fn(async () => undefined),
 		resolveActiveIndex: vi.fn(() => 0),
+		hasUsableAccessToken: vi.fn(() => false),
 		queuedRefresh: vi.fn(async () => ({
 			type: "success",
 			access: "access-token-1",
@@ -192,6 +193,37 @@ describe("runReportCommand", () => {
 		expect(jsonOutput.forecast.accounts[3]?.liveQuota?.planType).toBe("pro");
 	});
 
+	it("reuses usable access tokens for live probes without forcing refresh", async () => {
+		const deps = createDeps({
+			hasUsableAccessToken: vi.fn(() => true),
+			loadAccounts: vi.fn(async () =>
+				createStorage([
+					{
+						email: "one@example.com",
+						accountId: "acct-live",
+						refreshToken: "refresh-token-1",
+						accessToken: "access-token-1",
+						expiresAt: 5_000,
+						addedAt: 1,
+						lastUsed: 1,
+						enabled: true,
+					},
+				]),
+			),
+		});
+
+		const result = await runReportCommand(["--live", "--json"], deps);
+
+		expect(result).toBe(0);
+		expect(deps.queuedRefresh).not.toHaveBeenCalled();
+		expect(deps.saveAccounts).not.toHaveBeenCalled();
+		expect(deps.fetchCodexQuotaSnapshot).toHaveBeenCalledWith({
+			accountId: "acct-live",
+			accessToken: "access-token-1",
+			model: "gpt-5-codex",
+		});
+	});
+
 	it("persists refreshed probe tokens before report live probes", async () => {
 		const storage = createStorage([
 			{