Merge branch 'pr-133-head' into release-integration-20260320

Author: ndycode

index.ts

@@ -109,6 +109,7 @@ import {
         formatAccountLabel,
         formatCooldown,
         formatWaitTime,
+        resolveRuntimeRequestIdentity,
         sanitizeEmail,
         selectBestAccountCandidate,
         shouldUpdateAccountIdFromToken,
@@ -1495,13 +1496,19 @@ while (attempted.size < Math.max(1, accountCount)) {
 				continue;
 					}
 
-				const hadAccountId = !!account.accountId;
-					const tokenAccountId = extractAccountId(accountAuth.access);
-					const accountId = resolveRequestAccountId(
-						account.accountId,
-						account.accountIdSource,
-						tokenAccountId,
-					);
+				const storedAccountId = account.accountId;
+				const storedAccountIdSource = account.accountIdSource;
+				const storedEmail = account.email;
+				const hadAccountId = !!storedAccountId;
+					const runtimeIdentity = resolveRuntimeRequestIdentity({
+						storedAccountId,
+						source: storedAccountIdSource,
+						storedEmail,
+						accessToken: accountAuth.access,
+						idToken: accountAuth.idToken,
+					});
+					const tokenAccountId = runtimeIdentity.tokenAccountId;
+					const accountId = runtimeIdentity.accountId;
 						if (!accountId) {
 							accountManager.markAccountCoolingDown(
 								account,
@@ -1511,19 +1518,13 @@ while (attempted.size < Math.max(1, accountCount)) {
 							accountManager.saveToDiskDebounced();
 							continue;
 						}
-											const resolvedEmail =
-												extractAccountEmail(accountAuth.access) ?? account.email;
+											const resolvedEmail = runtimeIdentity.email;
 											const entitlementAccountKey = resolveEntitlementAccountKey({
-												accountId: account.accountId ?? accountId,
+												accountId: storedAccountId ?? accountId,
 												email: resolvedEmail,
 												refreshToken: account.refreshToken,
 												index: account.index,
 											});
-											account.accountId = accountId;
-											if (!hadAccountId && tokenAccountId && accountId === tokenAccountId) {
-												account.accountIdSource = account.accountIdSource ?? "token";
-											}
-											account.email = resolvedEmail;
 											const entitlementBlock = entitlementCache.isBlocked(
 												entitlementAccountKey,
 												model ?? modelFamily,
@@ -1536,6 +1537,13 @@ while (attempted.size < Math.max(1, accountCount)) {
 												);
 												continue;
 											}
+											account.accountId = accountId;
+											if (!hadAccountId && tokenAccountId && accountId === tokenAccountId) {
+												account.accountIdSource = storedAccountIdSource ?? "token";
+											}
+											if (resolvedEmail) {
+												account.email = resolvedEmail;
+											}
 
 											if (
 												accountCount > 1 &&
@@ -1594,6 +1602,7 @@ while (attempted.size < Math.max(1, accountCount)) {
 
 							let sameAccountRetryCount = 0;
 							let successAccountForResponse = account;
+							let successEntitlementAccountKey = entitlementAccountKey;
 							while (true) {
 								let response: Response;
 								const fetchStart = performance.now();
@@ -2101,19 +2110,58 @@ while (attempted.size < Math.max(1, accountCount)) {
 											continue;
 										}
 
-										const fallbackTokenAccountId = extractAccountId(fallbackAuth.access);
-										const fallbackAccountId = resolveRequestAccountId(
-											fallbackAccount.accountId,
-											fallbackAccount.accountIdSource,
-											fallbackTokenAccountId,
-										);
+										const fallbackStoredAccountId = fallbackAccount.accountId;
+										const fallbackStoredAccountIdSource = fallbackAccount.accountIdSource;
+										const fallbackStoredEmail = fallbackAccount.email;
+										const hadFallbackAccountId = !!fallbackStoredAccountId;
+										const fallbackRuntimeIdentity = resolveRuntimeRequestIdentity({
+											storedAccountId: fallbackStoredAccountId,
+											source: fallbackStoredAccountIdSource,
+											storedEmail: fallbackStoredEmail,
+											accessToken: fallbackAuth.access,
+											idToken: fallbackAuth.idToken,
+										});
+										const fallbackTokenAccountId = fallbackRuntimeIdentity.tokenAccountId;
+										const fallbackAccountId = fallbackRuntimeIdentity.accountId;
 										if (!fallbackAccountId) {
 											continue;
 										}
+										const fallbackResolvedEmail = fallbackRuntimeIdentity.email;
+										const fallbackEntitlementAccountKey = resolveEntitlementAccountKey({
+											accountId: fallbackStoredAccountId ?? fallbackAccountId,
+											email: fallbackResolvedEmail,
+											refreshToken: fallbackAccount.refreshToken,
+											index: fallbackAccount.index,
+										});
+										const fallbackEntitlementBlock = entitlementCache.isBlocked(
+											fallbackEntitlementAccountKey,
+											model ?? modelFamily,
+										);
+										if (fallbackEntitlementBlock.blocked) {
+											runtimeMetrics.accountRotations++;
+											runtimeMetrics.lastError =
+												`Entitlement cached block for account ${fallbackAccount.index + 1}`;
+											logWarn(
+												`Skipping account ${fallbackAccount.index + 1} due to cached entitlement block (${formatWaitTime(fallbackEntitlementBlock.waitMs)} remaining).`,
+											);
+											continue;
+										}
 
 										if (!accountManager.consumeToken(fallbackAccount, modelFamily, model)) {
 											continue;
 										}
+										fallbackAccount.accountId = fallbackAccountId;
+										if (
+											!hadFallbackAccountId &&
+											fallbackTokenAccountId &&
+											fallbackAccountId === fallbackTokenAccountId
+										) {
+											fallbackAccount.accountIdSource =
+												fallbackStoredAccountIdSource ?? "token";
+										}
+										if (fallbackResolvedEmail) {
+											fallbackAccount.email = fallbackResolvedEmail;
+										}
 
 										const fallbackHeaders = createCodexHeaders(
 											requestInit,
@@ -2155,7 +2203,7 @@ while (attempted.size < Math.max(1, accountCount)) {
 											);
 											if (fallbackSnapshot) {
 												preemptiveQuotaScheduler.update(
-													`${resolveEntitlementAccountKey(fallbackAccount)}:${model ?? modelFamily}`,
+													`${fallbackEntitlementAccountKey}:${model ?? modelFamily}`,
 													fallbackSnapshot,
 												);
 											}
@@ -2180,13 +2228,14 @@ while (attempted.size < Math.max(1, accountCount)) {
 													accountManager.recordFailure(fallbackAccount, modelFamily, model);
 												}
 												capabilityPolicyStore.recordFailure(
-													resolveEntitlementAccountKey(fallbackAccount),
+													fallbackEntitlementAccountKey,
 													capabilityModelKey,
 												);
 												continue;
 											}
 
 											successAccountForResponse = fallbackAccount;
+											successEntitlementAccountKey = fallbackEntitlementAccountKey;
 											runtimeMetrics.streamFailoverRecoveries += 1;
 											if (fallbackAccount.index !== account.index) {
 												runtimeMetrics.streamFailoverCrossAccountRecoveries += 1;
@@ -2206,7 +2255,7 @@ while (attempted.size < Math.max(1, accountCount)) {
 											accountManager.refundToken(fallbackAccount, modelFamily, model);
 											accountManager.recordFailure(fallbackAccount, modelFamily, model);
 											capabilityPolicyStore.recordFailure(
-												resolveEntitlementAccountKey(fallbackAccount),
+												fallbackEntitlementAccountKey,
 												capabilityModelKey,
 											);
 											logWarn(
@@ -2296,10 +2345,7 @@ while (attempted.size < Math.max(1, accountCount)) {
 						if (successAccountForResponse.index !== account.index) {
 							accountManager.markSwitched(successAccountForResponse, "rotation", modelFamily);
 						}
-						const successAccountKey =
-							successAccountForResponse.index === account.index
-								? entitlementAccountKey
-								: resolveEntitlementAccountKey(successAccountForResponse);
+						const successAccountKey = successEntitlementAccountKey;
 						accountManager.recordSuccess(successAccountForResponse, modelFamily, model);
 						capabilityPolicyStore.recordSuccess(
 							successAccountKey,

lib/accounts.ts

@@ -30,6 +30,7 @@ export {
 	extractAccountEmail,
 	getAccountIdCandidates,
 	selectBestAccountCandidate,
+	resolveRuntimeRequestIdentity,
 	shouldUpdateAccountIdFromToken,
 	resolveRequestAccountId,
 	sanitizeEmail,

lib/auth/token-utils.ts

@@ -383,6 +383,37 @@ export function resolveRequestAccountId(
 	return tokenAccountId ?? storedAccountId;
 }
 
+export interface RuntimeRequestIdentity {
+	accountId?: string;
+	email?: string;
+	tokenAccountId?: string;
+}
+
+/**
+ * Resolve the live request identity for an account using the stored workspace binding
+ * plus the freshest token-derived hints available for this request.
+ */
+export function resolveRuntimeRequestIdentity(input: {
+	storedAccountId?: string;
+	source?: AccountIdSource;
+	storedEmail?: string;
+	accessToken?: string;
+	idToken?: string;
+}): RuntimeRequestIdentity {
+	const tokenAccountId = extractAccountId(input.accessToken);
+	return {
+		accountId: resolveRequestAccountId(
+			input.storedAccountId,
+			input.source,
+			tokenAccountId,
+		),
+		email:
+			sanitizeEmail(extractAccountEmail(input.accessToken, input.idToken)) ??
+			sanitizeEmail(input.storedEmail),
+		tokenAccountId,
+	};
+}
+
 /**
  * Sanitizes an email address by trimming whitespace and lowercasing.
  * @param email - Email string to sanitize

lib/codex-manager.ts

@@ -1586,7 +1586,7 @@ async function runOAuthFlow(
 			);
 		}
 
-		const waitingForCallback = oauthServer?.ready === true;
+		const waitingForCallback = signInMode === "browser" && oauthServer?.ready === true;
 		if (waitingForCallback && oauthServer) {
 			console.log(stylePromptText(UI_COPY.oauth.waitingCallback, "muted"));
 			const callbackResult = await oauthServer.waitForCode(state);

test/codex-manager-cli.test.ts

@@ -3301,7 +3301,6 @@ describe("codex manager cli commands", () => {
 		expect(exchangeAuthorizationCodeMock).not.toHaveBeenCalled();
 		expect(storageState.accounts).toHaveLength(0);
 	});
-
 	it("preserves distinct same-email workspaces when oauth login reuses a refresh token", async () => {
 		const now = Date.now();
 		let storageState = {

test/index-retry.test.ts

@@ -35,7 +35,8 @@ vi.mock("../lib/request/request-transformer.js", () => ({
 	applyFastSessionDefaults: <T>(config: T) => config,
 }));
 
-vi.mock("../lib/accounts.js", () => {
+vi.mock("../lib/accounts.js", async () => {
+	const tokenUtils = await vi.importActual("../lib/auth/token-utils.js");
 	class AccountManager {
 		private calls = 0;
 
@@ -114,7 +115,38 @@ vi.mock("../lib/accounts.js", () => {
 		extractAccountEmail: () => "user@example.com",
 		extractAccountId: () => "account-1",
 		selectBestAccountCandidate: (candidates: Array<{ accountId: string }>) => candidates[0] ?? null,
-		resolveRequestAccountId: (_storedId: string | undefined, _source: string | undefined, tokenId: string | undefined) => tokenId,
+		resolveRuntimeRequestIdentity: ({
+			storedAccountId,
+			source,
+			storedEmail,
+			accessToken,
+			idToken,
+		}: {
+			storedAccountId?: string;
+			source?: string;
+			storedEmail?: string;
+			accessToken?: string;
+			idToken?: string;
+		}) => {
+			const tokenUtilsModule = tokenUtils as typeof import("../lib/auth/token-utils.js");
+			const tokenAccountId = accessToken ? "account-1" : undefined;
+			const tokenEmail = tokenUtilsModule.sanitizeEmail(
+				tokenUtilsModule.extractAccountEmail(accessToken, idToken),
+			);
+			const sanitizedStoredEmail = tokenUtilsModule.sanitizeEmail(storedEmail);
+			return {
+				accountId: tokenUtilsModule.resolveRequestAccountId(
+					storedAccountId,
+					source as never,
+					tokenAccountId,
+				),
+				email: tokenEmail ?? sanitizedStoredEmail,
+				tokenAccountId,
+			};
+		},
+		resolveRequestAccountId: (
+			tokenUtils as typeof import("../lib/auth/token-utils.js")
+		).resolveRequestAccountId,
 		formatAccountLabel: (_account: any, index: number) => `Account ${index + 1}`,
 		formatCooldown: (ms: number) => `${ms}ms`,
 		formatWaitTime: (ms: number) => `${ms}ms`,