fix: flag malformed codex auth payloads in doctor

Author: ndycode

lib/codex-manager/repair-commands.ts

@@ -1687,7 +1687,14 @@ export async function runDoctor(
 		try {
 			const raw = await fs.readFile(codexAuthPath, "utf-8");
 			const parsed = JSON.parse(raw) as unknown;
-			if (parsed && typeof parsed === "object") {
+			if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+				addCheck({
+					key: "codex-auth-readable",
+					severity: "error",
+					message: "Codex auth file has invalid structure",
+					details: codexAuthPath,
+				});
+			} else {
 				const payload = parsed as Record<string, unknown>;
 				const tokens = payload.tokens && typeof payload.tokens === "object"
 					? payload.tokens as Record<string, unknown>
@@ -1708,19 +1715,19 @@ export async function runDoctor(
 					emailFromFile ?? extractAccountEmail(accessToken, idToken),
 				);
 				codexAuthAccountId = accountIdFromFile ?? extractAccountId(accessToken);
+				addCheck({
+					key: "codex-auth-readable",
+					severity: "ok",
+					message: "Codex auth file is readable",
+					details:
+						codexAuthEmail || codexAuthAccountId
+							? formatDoctorIdentitySummary({
+								email: codexAuthEmail,
+								accountId: codexAuthAccountId,
+							})
+							: undefined,
+				});
 			}
-			addCheck({
-				key: "codex-auth-readable",
-				severity: "ok",
-				message: "Codex auth file is readable",
-				details:
-					codexAuthEmail || codexAuthAccountId
-						? formatDoctorIdentitySummary({
-							email: codexAuthEmail,
-							accountId: codexAuthAccountId,
-						})
-						: undefined,
-			});
 		} catch (error) {
 			addCheck({
 				key: "codex-auth-readable",

test/repair-commands.test.ts

@@ -751,6 +751,25 @@ describe("repair-commands direct deps coverage", () => {
 		);
 	});
 
+	it("runDoctor marks malformed codex auth payloads as invalid instead of healthy", async () => {
+		existsSyncMock.mockImplementation((path) => path === "/mock/auth.json");
+		readFileMock.mockResolvedValueOnce("[]");
+		const consoleSpy = vi.spyOn(console, "log").mockImplementation(() => {});
+
+		const exitCode = await runDoctor(["--json"], createDeps());
+
+		expect(exitCode).toBe(1);
+		expect(
+			JSON.parse(String(consoleSpy.mock.calls.at(-1)?.[0] ?? "{}")).checks,
+		).toContainEqual(
+			expect.objectContaining({
+				key: "codex-auth-readable",
+				severity: "error",
+				message: "Codex auth file has invalid structure",
+			}),
+		);
+	});
+
 	it("runDoctor derives auto-fix state from the final action set", async () => {
 		const now = Date.now();
 		let persistedAccountStorage: unknown;