fix: roll back flagged recovery partial writes

Author: ndycode

lib/codex-manager.ts

@@ -58,6 +58,7 @@ import {
 	saveFlaggedAccounts,
 	saveAccounts,
 	setStoragePath,
+	withAccountAndFlaggedStorageTransaction,
 	withAccountStorageTransaction,
 	type AccountMetadataV3,
 	type AccountStorageV3,
@@ -2553,10 +2554,9 @@ async function runVerifyFlagged(args: string[]): Promise<number> {
 		});
 	}
 
-	const applyRefreshChecks = async (
+	const applyRefreshChecks = (
 		storage: AccountStorageV3,
-		persist?: (nextStorage: AccountStorageV3) => Promise<void>,
-	): Promise<void> => {
+	): void => {
 		for (const check of refreshChecks) {
 			const { index: i, flagged, label, result } = check;
 			if (result.type === "success") {
@@ -2638,28 +2638,33 @@ async function runVerifyFlagged(args: string[]): Promise<number> {
 				message: detail,
 			});
 		}
-
-		if (persist && storageChanged) {
-			normalizeDoctorIndexes(storage);
-			await persist(storage);
-		}
 	};
 
 	if (options.restore) {
 		if (options.dryRun) {
-			await applyRefreshChecks(
+			applyRefreshChecks(
 				(await loadAccounts()) ?? createEmptyAccountStorage(),
 			);
 		} else {
-			await withAccountStorageTransaction(async (loadedStorage, persist) => {
-				await applyRefreshChecks(
-					loadedStorage ? structuredClone(loadedStorage) : createEmptyAccountStorage(),
-					persist,
-				);
-			});
+			await withAccountAndFlaggedStorageTransaction(
+				async (loadedStorage, persist) => {
+					const nextStorage = loadedStorage
+						? structuredClone(loadedStorage)
+						: createEmptyAccountStorage();
+					applyRefreshChecks(nextStorage);
+					if (!storageChanged) {
+						return;
+					}
+					normalizeDoctorIndexes(nextStorage);
+					await persist(nextStorage, {
+						version: 1,
+						accounts: nextFlaggedAccounts,
+					});
+				},
+			);
 		}
 	} else {
-		await applyRefreshChecks(createEmptyAccountStorage());
+		applyRefreshChecks(createEmptyAccountStorage());
 	}
 
 	const remainingFlagged = nextFlaggedAccounts.length;
@@ -2668,7 +2673,7 @@ async function runVerifyFlagged(args: string[]): Promise<number> {
 	const stillFlagged = reports.filter((report) => report.outcome === "still-flagged").length;
 	const changed = storageChanged || flaggedChanged;
 
-	if (!options.dryRun && flaggedChanged) {
+	if (!options.dryRun && flaggedChanged && (!options.restore || !storageChanged)) {
 		await saveFlaggedAccounts({
 			version: 1,
 			accounts: nextFlaggedAccounts,

lib/storage.ts

@@ -1845,6 +1845,21 @@ async function saveAccountsUnlocked(storage: AccountStorageV3): Promise<void> {
 	}
 }
 
+function cloneAccountStorageForPersistence(
+	storage: AccountStorageV3 | null | undefined,
+): AccountStorageV3 {
+	return {
+		version: 3,
+		accounts: structuredClone(storage?.accounts ?? []),
+		activeIndex:
+			typeof storage?.activeIndex === "number" &&
+			Number.isFinite(storage.activeIndex)
+				? storage.activeIndex
+				: 0,
+		activeIndexByFamily: structuredClone(storage?.activeIndexByFamily ?? {}),
+	};
+}
+
 export async function withAccountStorageTransaction<T>(
 	handler: (
 		current: AccountStorageV3 | null,
@@ -1867,6 +1882,53 @@ export async function withAccountStorageTransaction<T>(
 	});
 }
 
+export async function withAccountAndFlaggedStorageTransaction<T>(
+	handler: (
+		current: AccountStorageV3 | null,
+		persist: (
+			accountStorage: AccountStorageV3,
+			flaggedStorage: FlaggedAccountStorageV1,
+		) => Promise<void>,
+	) => Promise<T>,
+): Promise<T> {
+	return withStorageLock(async () => {
+		const state = {
+			snapshot: await loadAccountsInternal(saveAccountsUnlocked),
+			active: true,
+		};
+		const current = state.snapshot;
+		const persist = async (
+			accountStorage: AccountStorageV3,
+			flaggedStorage: FlaggedAccountStorageV1,
+		): Promise<void> => {
+			const previousAccounts = cloneAccountStorageForPersistence(state.snapshot);
+			const nextAccounts = cloneAccountStorageForPersistence(accountStorage);
+			await saveAccountsUnlocked(nextAccounts);
+			try {
+				await saveFlaggedAccountsUnlocked(flaggedStorage);
+				state.snapshot = nextAccounts;
+			} catch (error) {
+				try {
+					await saveAccountsUnlocked(previousAccounts);
+					state.snapshot = previousAccounts;
+				} catch (rollbackError) {
+					log.error(
+						"Failed to rollback account storage after flagged save failure",
+						{
+							error: String(error),
+							rollbackError: String(rollbackError),
+						},
+					);
+				}
+				throw error;
+			}
+		};
+		return transactionSnapshotContext.run(state, () =>
+			handler(current, persist),
+		);
+	});
+}
+
 /**
  * Persists account storage to disk using atomic write (temp file + rename).
  * Creates the Codex multi-auth storage directory if it doesn't exist.
@@ -2091,47 +2153,53 @@ export async function loadFlaggedAccounts(): Promise<FlaggedAccountStorageV1> {
 	}
 }
 
-export async function saveFlaggedAccounts(
+async function saveFlaggedAccountsUnlocked(
 	storage: FlaggedAccountStorageV1,
 ): Promise<void> {
-	return withStorageLock(async () => {
-		const path = getFlaggedAccountsPath();
-		const markerPath = getIntentionalResetMarkerPath(path);
-		const uniqueSuffix = `${Date.now()}.${Math.random().toString(36).slice(2, 8)}`;
-		const tempPath = `${path}.${uniqueSuffix}.tmp`;
+	const path = getFlaggedAccountsPath();
+	const markerPath = getIntentionalResetMarkerPath(path);
+	const uniqueSuffix = `${Date.now()}.${Math.random().toString(36).slice(2, 8)}`;
+	const tempPath = `${path}.${uniqueSuffix}.tmp`;
 
-		try {
-			await fs.mkdir(dirname(path), { recursive: true });
-			if (existsSync(path)) {
-				try {
-					await fs.copyFile(path, `${path}.bak`);
-				} catch (backupError) {
-					log.warn("Failed to create flagged backup snapshot", {
-						path,
-						error: String(backupError),
-					});
-				}
-			}
-			const content = JSON.stringify(normalizeFlaggedStorage(storage), null, 2);
-			await fs.writeFile(tempPath, content, { encoding: "utf-8", mode: 0o600 });
-			await fs.rename(tempPath, path);
-			try {
-				await fs.unlink(markerPath);
-			} catch {
-				// Best effort cleanup.
-			}
-		} catch (error) {
+	try {
+		await fs.mkdir(dirname(path), { recursive: true });
+		if (existsSync(path)) {
 			try {
-				await fs.unlink(tempPath);
-			} catch {
-				// Ignore cleanup failures.
+				await fs.copyFile(path, `${path}.bak`);
+			} catch (backupError) {
+				log.warn("Failed to create flagged backup snapshot", {
+					path,
+					error: String(backupError),
+				});
 			}
-			log.error("Failed to save flagged account storage", {
-				path,
-				error: String(error),
-			});
-			throw error;
 		}
+		const content = JSON.stringify(normalizeFlaggedStorage(storage), null, 2);
+		await fs.writeFile(tempPath, content, { encoding: "utf-8", mode: 0o600 });
+		await fs.rename(tempPath, path);
+		try {
+			await fs.unlink(markerPath);
+		} catch {
+			// Best effort cleanup.
+		}
+	} catch (error) {
+		try {
+			await fs.unlink(tempPath);
+		} catch {
+			// Ignore cleanup failures.
+		}
+		log.error("Failed to save flagged account storage", {
+			path,
+			error: String(error),
+		});
+		throw error;
+	}
+}
+
+export async function saveFlaggedAccounts(
+	storage: FlaggedAccountStorageV1,
+): Promise<void> {
+	return withStorageLock(async () => {
+		await saveFlaggedAccountsUnlocked(storage);
 	});
 }
 

test/codex-manager-cli.test.ts

@@ -26,6 +26,7 @@ const promptQuestionMock = vi.fn();
 const detectOcChatgptMultiAuthTargetMock = vi.fn();
 const normalizeAccountStorageMock = vi.fn((value) => value);
 const withAccountStorageTransactionMock = vi.fn();
+const withAccountAndFlaggedStorageTransactionMock = vi.fn();
 
 vi.mock("../lib/logger.js", () => ({
 	createLogger: vi.fn(() => ({
@@ -94,6 +95,8 @@ vi.mock("../lib/storage.js", async () => {
 		loadFlaggedAccounts: loadFlaggedAccountsMock,
 		saveAccounts: saveAccountsMock,
 		saveFlaggedAccounts: saveFlaggedAccountsMock,
+		withAccountAndFlaggedStorageTransaction:
+			withAccountAndFlaggedStorageTransactionMock,
 		withAccountStorageTransaction: withAccountStorageTransactionMock,
 		setStoragePath: setStoragePathMock,
 		getStoragePath: getStoragePathMock,
@@ -412,6 +415,7 @@ describe("codex manager cli commands", () => {
 		loadFlaggedAccountsMock.mockReset();
 		saveAccountsMock.mockReset();
 		saveFlaggedAccountsMock.mockReset();
+		withAccountAndFlaggedStorageTransactionMock.mockReset();
 		withAccountStorageTransactionMock.mockReset();
 		queuedRefreshMock.mockReset();
 		setCodexCliActiveSelectionMock.mockReset();
@@ -455,6 +459,34 @@ describe("codex manager cli commands", () => {
 				);
 			},
 		);
+		withAccountAndFlaggedStorageTransactionMock.mockImplementation(
+			async (handler) => {
+				const current = await loadAccountsMock();
+				let snapshot =
+					current == null
+						? {
+							version: 3,
+							accounts: [],
+							activeIndex: 0,
+							activeIndexByFamily: {},
+						}
+						: structuredClone(current);
+				return handler(
+					structuredClone(snapshot),
+					async (storage: unknown, flaggedStorage: unknown) => {
+						const previousSnapshot = structuredClone(snapshot);
+						await saveAccountsMock(storage);
+						try {
+							await saveFlaggedAccountsMock(flaggedStorage);
+							snapshot = structuredClone(storage);
+						} catch (error) {
+							await saveAccountsMock(previousSnapshot);
+							throw error;
+						}
+					},
+				);
+			},
+		);
 		loadDashboardDisplaySettingsMock.mockResolvedValue({
 			showPerAccountRows: true,
 			showQuotaDetails: true,
@@ -642,7 +674,7 @@ describe("codex manager cli commands", () => {
 		]);
 
 		expect(exitCode).toBe(0);
-		expect(withAccountStorageTransactionMock).toHaveBeenCalledTimes(1);
+		expect(withAccountAndFlaggedStorageTransactionMock).toHaveBeenCalledTimes(1);
 		expect(saveAccountsMock).toHaveBeenCalledWith(
 			expect.objectContaining({
 				accounts: expect.arrayContaining([
@@ -699,7 +731,7 @@ describe("codex manager cli commands", () => {
 		]);
 
 		expect(exitCode).toBe(0);
-		expect(withAccountStorageTransactionMock).toHaveBeenCalledTimes(1);
+		expect(withAccountAndFlaggedStorageTransactionMock).toHaveBeenCalledTimes(1);
 		const savedStorage = saveAccountsMock.mock.calls.at(-1)?.[0];
 		expect(savedStorage).toEqual(
 			expect.objectContaining({
@@ -715,6 +747,70 @@ describe("codex manager cli commands", () => {
 		extractAccountIdMock.mockImplementation(() => "acc_test");
 	});
 
+	it("rolls back active storage when flagged persistence fails during recovery", async () => {
+		const now = Date.now();
+		loadFlaggedAccountsMock.mockResolvedValueOnce({
+			version: 1,
+			accounts: [
+				{
+					refreshToken: "flagged-refresh",
+					accountId: "acc_flagged",
+					email: "flagged@example.com",
+					addedAt: now - 1_000,
+					lastUsed: now - 1_000,
+					flaggedAt: now - 5_000,
+				},
+			],
+		});
+		loadAccountsMock.mockResolvedValueOnce({
+			version: 3,
+			activeIndex: 0,
+			activeIndexByFamily: { codex: 0 },
+			accounts: [
+				{
+					refreshToken: "refresh-existing",
+					accountId: "acc_existing",
+					email: "existing@example.com",
+					addedAt: now - 10_000,
+					lastUsed: now - 10_000,
+				},
+			],
+		});
+		queuedRefreshMock.mockResolvedValueOnce({
+			type: "success",
+			access: "access-restored",
+			refresh: "refresh-restored",
+			expires: now + 3_600_000,
+		});
+		saveFlaggedAccountsMock.mockRejectedValueOnce(
+			new Error("flagged write failed"),
+		);
+		const { runCodexMultiAuthCli } = await import("../lib/codex-manager.js");
+
+		await expect(
+			runCodexMultiAuthCli(["auth", "verify-flagged", "--json"]),
+		).rejects.toThrow("flagged write failed");
+		expect(withAccountAndFlaggedStorageTransactionMock).toHaveBeenCalledTimes(
+			1,
+		);
+		expect(saveAccountsMock).toHaveBeenCalledTimes(2);
+		expect(saveAccountsMock.mock.calls[0]?.[0]).toEqual(
+			expect.objectContaining({
+				accounts: expect.arrayContaining([
+					expect.objectContaining({ refreshToken: "refresh-existing" }),
+					expect.objectContaining({ refreshToken: "refresh-restored" }),
+				]),
+			}),
+		);
+		expect(saveAccountsMock.mock.calls[1]?.[0]).toEqual(
+			expect.objectContaining({
+				accounts: [
+					expect.objectContaining({ refreshToken: "refresh-existing" }),
+				],
+			}),
+		);
+	});
+
 	it("keeps flagged account when verification still fails", async () => {
 		const now = Date.now();
 		loadFlaggedAccountsMock.mockResolvedValueOnce({