fix: harden refresh persistence follow-ups

Author: ndycode

lib/accounts.ts

@@ -19,6 +19,8 @@ import {
 	type HybridSelectionOptions,
 } from "./rotation.js";
 import { nowMs } from "./utils.js";
+import { ERROR_MESSAGES } from "./constants.js";
+import { CodexAuthError } from "./errors.js";
 import {
 	loadCodexCliState,
 	type CodexCliTokenCacheEntry,
@@ -801,66 +803,70 @@ export class AccountManager {
 	): Promise<ManagedAccount | null> {
 		const nextAccountId = extractAccountId(auth.access)?.trim() || undefined;
 		const nextEmail = sanitizeEmail(extractAccountEmail(auth.access));
+		try {
+			return await withAccountStorageTransaction(async (current, persist) => {
+				const nextStorage = structuredClone(
+					current ?? this.buildStorageSnapshot(),
+				) as AccountStorageV3;
+				const storageIndex = findAccountIndexByIdentity(
+					nextStorage.accounts,
+					source,
+					auth,
+				);
+				if (storageIndex === undefined) {
+					log.warn("Unable to resolve refreshed account for persistence", {
+						sourceIndex: source.index,
+					});
+					return null;
+				}
 
-		await withAccountStorageTransaction(async (current, persist) => {
-			const nextStorage = structuredClone(
-				current ?? this.buildStorageSnapshot(),
-			) as AccountStorageV3;
-			const storageIndex = findAccountIndexByIdentity(
-				nextStorage.accounts,
-				source,
-				auth,
-			);
-			if (storageIndex === undefined) {
-				log.warn("Unable to resolve refreshed account for persistence", {
-					sourceIndex: source.index,
-					email: source.email,
-				});
-				return;
-			}
+				const storedAccount = nextStorage.accounts[storageIndex];
+				if (!storedAccount) {
+					return null;
+				}
 
-			const storedAccount = nextStorage.accounts[storageIndex];
-			if (!storedAccount) {
-				return;
-			}
+				storedAccount.refreshToken = auth.refresh;
+				storedAccount.accessToken = auth.access;
+				storedAccount.expiresAt = auth.expires;
+				if (
+					nextAccountId &&
+					shouldUpdateAccountIdFromToken(
+						storedAccount.accountIdSource,
+						storedAccount.accountId,
+					)
+				) {
+					storedAccount.accountId = nextAccountId;
+					storedAccount.accountIdSource = "token";
+				}
+				if (nextEmail) {
+					storedAccount.email = nextEmail;
+				}
+				storedAccount.enabled = undefined;
+				delete storedAccount.coolingDownUntil;
+				delete storedAccount.cooldownReason;
 
-			storedAccount.refreshToken = auth.refresh;
-			storedAccount.accessToken = auth.access;
-			storedAccount.expiresAt = auth.expires;
-			if (
-				nextAccountId &&
-				shouldUpdateAccountIdFromToken(
-					storedAccount.accountIdSource,
-					storedAccount.accountId,
-				)
-			) {
-				storedAccount.accountId = nextAccountId;
-				storedAccount.accountIdSource = "token";
-			}
-			if (nextEmail) {
-				storedAccount.email = nextEmail;
-			}
-			storedAccount.enabled = undefined;
-			delete storedAccount.coolingDownUntil;
-			delete storedAccount.cooldownReason;
+				await persist(nextStorage);
 
-			await persist(nextStorage);
-		});
+				const liveAccount = this.getAccountByIdentity(source, auth);
+				if (!liveAccount) {
+					log.warn("Unable to resolve refreshed live account after persistence", {
+						sourceIndex: source.index,
+					});
+					return null;
+				}
 
-		const liveAccount = this.getAccountByIdentity(source, auth);
-		if (!liveAccount) {
-			log.warn("Unable to resolve refreshed live account after persistence", {
-				sourceIndex: source.index,
-				email: source.email,
+				this.updateFromAuth(liveAccount, auth);
+				liveAccount.enabled = true;
+				this.clearAccountCooldown(liveAccount);
+				this.clearAuthFailures(liveAccount);
+				return liveAccount;
+			});
+		} catch (error) {
+			throw new CodexAuthError(ERROR_MESSAGES.TOKEN_REFRESH_FAILED, {
+				retryable: true,
+				cause: error,
 			});
-			return null;
 		}
-
-		this.updateFromAuth(liveAccount, auth);
-		liveAccount.enabled = true;
-		this.clearAccountCooldown(liveAccount);
-		this.clearAuthFailures(liveAccount);
-		return liveAccount;
 	}
 
 	toAuthDetails(account: ManagedAccount): Auth {
@@ -973,7 +979,9 @@ export class AccountManager {
 	}
 
 	async saveToDisk(): Promise<void> {
-		await saveAccounts(this.buildStorageSnapshot());
+		await withAccountStorageTransaction(async (_current, persist) => {
+			await persist(this.buildStorageSnapshot());
+		});
 	}
 
 	saveToDiskDebounced(delayMs = 500): void {

lib/refresh-guardian.ts

@@ -1,5 +1,5 @@
 import { createLogger } from "./logger.js";
-import { applyRefreshResult, refreshExpiringAccounts } from "./proactive-refresh.js";
+import { refreshExpiringAccounts } from "./proactive-refresh.js";
 import type { AccountManager } from "./accounts.js";
 import type { CooldownReason } from "./storage.js";
 import type { TokenResult } from "./types.js";
@@ -123,12 +123,21 @@ export class RefreshGuardian {
 					expires: result.tokenResult.expires,
 					multiAccount: true,
 				};
-				const account = manager.getAccountByIdentity(sourceAccount, refreshedAuth);
-				if (account) {
-					applyRefreshResult(account, result.tokenResult);
-					manager.clearAuthFailures(account);
+				try {
+					await manager.commitRefreshedAuth(sourceAccount, refreshedAuth);
+				} catch (error) {
+					log.warn("Refresh guardian commit failed", {
+						sourceIndex: sourceAccount.index,
+						error: error instanceof Error ? error.message : String(error),
+					});
+					const account = manager.getAccountByIdentity(sourceAccount, refreshedAuth);
+					if (account) {
+						manager.markAccountCoolingDown(account, this.bufferMs, "network-error");
+					}
+					this.stats.failed += 1;
+					this.stats.networkFailed += 1;
+					return !!account;
 				}
-				await manager.commitRefreshedAuth(sourceAccount, refreshedAuth);
 				this.stats.refreshed += 1;
 				return false;
 			}

lib/request/fetch-helpers.ts

@@ -435,8 +435,9 @@ function isRetryableRefreshFailure(
 		case "network_error":
 		case "unknown":
 		case "invalid_response":
-		case "missing_refresh":
 			return true;
+		case "missing_refresh":
+			return false;
 		case "http_error":
 			return !(
 				result.statusCode === HTTP_STATUS.BAD_REQUEST ||

test/accounts.test.ts

@@ -11,6 +11,7 @@ import {
   getAccountIdCandidates,
 } from "../lib/accounts.js";
 import { getHealthTracker, getTokenTracker, resetTrackers } from "../lib/rotation.js";
+import { CodexAuthError } from "../lib/errors.js";
 import type { OAuthAuthDetails } from "../lib/types.js";
 
 vi.mock("../lib/storage.js", async (importOriginal) => {
@@ -22,6 +23,29 @@ vi.mock("../lib/storage.js", async (importOriginal) => {
   };
 });
 
+beforeEach(async () => {
+  resetTrackers();
+  const { saveAccounts, withAccountStorageTransaction } = await import(
+    "../lib/storage.js"
+  );
+  const mockSaveAccounts = vi.mocked(saveAccounts);
+  const mockWithAccountStorageTransaction = vi.mocked(
+    withAccountStorageTransaction,
+  );
+
+  mockSaveAccounts.mockReset();
+  mockSaveAccounts.mockResolvedValue(undefined);
+  mockWithAccountStorageTransaction.mockReset();
+  mockWithAccountStorageTransaction.mockImplementation(async (handler) => {
+    let current = null;
+    const persist = async (storage: Parameters<typeof saveAccounts>[0]) => {
+      current = structuredClone(storage);
+      await mockSaveAccounts(storage);
+    };
+    return handler(current as never, persist);
+  });
+});
+
 describe("parseRateLimitReason", () => {
   it("returns quota for quota-related codes", () => {
     expect(parseRateLimitReason("usage_limit_reached")).toBe("quota");
@@ -1134,6 +1158,144 @@ describe("AccountManager", () => {
       expect(account.cooldownReason).toBeUndefined();
       expect(account.consecutiveAuthFailures).toBe(0);
     });
+
+    it("propagates storage write failure as retryable CodexAuthError", async () => {
+      const { withAccountStorageTransaction } = await import("../lib/storage.js");
+      const mockWithAccountStorageTransaction = vi.mocked(
+        withAccountStorageTransaction,
+      );
+      mockWithAccountStorageTransaction.mockRejectedValueOnce(
+        Object.assign(new Error("EBUSY"), { code: "EBUSY" }),
+      );
+
+      const now = Date.now();
+      const stored = {
+        version: 3 as const,
+        activeIndex: 0,
+        accounts: [
+          {
+            refreshToken: "old-refresh",
+            accessToken: "old-access",
+            expiresAt: now,
+            addedAt: now,
+            lastUsed: now,
+          },
+        ],
+      };
+      const manager = new AccountManager(undefined, stored as any);
+      const account = manager.getAccountByIndex(0)!;
+      const refreshedAuth: OAuthAuthDetails = {
+        type: "oauth",
+        access: "header.payload.signature",
+        refresh: "new-refresh",
+        expires: now + 3_600_000,
+      };
+
+      const error = await manager.commitRefreshedAuth(account, refreshedAuth).catch(
+        (err) => err as CodexAuthError,
+      );
+
+      expect(error).toBeInstanceOf(CodexAuthError);
+      expect(error.retryable).toBe(true);
+      expect(account.refreshToken).toBe("old-refresh");
+    });
+
+    it("prevents debounced saves from writing stale auth during refresh persistence", async () => {
+      vi.useFakeTimers();
+      try {
+        const { saveAccounts, withAccountStorageTransaction } = await import(
+          "../lib/storage.js"
+        );
+        const mockSaveAccounts = vi.mocked(saveAccounts);
+        const mockWithAccountStorageTransaction = vi.mocked(
+          withAccountStorageTransaction,
+        );
+
+        const now = Date.now();
+        const stored = {
+          version: 3 as const,
+          activeIndex: 0,
+          accounts: [
+            {
+              refreshToken: "old-refresh",
+              accessToken: "old-access",
+              expiresAt: now,
+              addedAt: now,
+              lastUsed: now,
+            },
+          ],
+        };
+        const manager = new AccountManager(undefined, stored as any);
+        const account = manager.getAccountByIndex(0)!;
+        const refreshedAuth: OAuthAuthDetails = {
+          type: "oauth",
+          access: "new-access",
+          refresh: "new-refresh",
+          expires: now + 3_600_000,
+        };
+
+        let storageState = structuredClone(stored) as typeof stored;
+        let lock = Promise.resolve();
+        let releasePersist!: () => void;
+        const persistBlocked = new Promise<void>((resolve) => {
+          releasePersist = resolve;
+        });
+        let notifyPersistStarted!: () => void;
+        const persistStarted = new Promise<void>((resolve) => {
+          notifyPersistStarted = resolve;
+        });
+
+        mockWithAccountStorageTransaction.mockImplementation((handler) => {
+          const run = async () => {
+            const current = structuredClone(storageState) as typeof storageState;
+            const persist = async (
+              nextStorage: Parameters<typeof saveAccounts>[0],
+            ) => {
+              if (
+                nextStorage.accounts[0]?.refreshToken === "new-refresh" &&
+                nextStorage.accounts[0]?.accessToken === "new-access"
+              ) {
+                notifyPersistStarted();
+                await persistBlocked;
+              }
+              storageState = structuredClone(nextStorage) as typeof storageState;
+              await mockSaveAccounts(nextStorage);
+            };
+            return handler(current as never, persist);
+          };
+
+          const result = lock.then(run, run);
+          lock = result.then(
+            () => undefined,
+            () => undefined,
+          );
+          return result;
+        });
+
+        const commitPromise = manager.commitRefreshedAuth(account, refreshedAuth);
+        await persistStarted;
+
+        manager.saveToDiskDebounced(0);
+        await vi.advanceTimersByTimeAsync(0);
+
+        releasePersist();
+        await commitPromise;
+        await manager.flushPendingSave();
+
+        expect(mockSaveAccounts).toHaveBeenCalledTimes(2);
+        expect(mockSaveAccounts.mock.calls[0]?.[0]?.accounts[0]?.refreshToken).toBe(
+          "new-refresh",
+        );
+        expect(mockSaveAccounts.mock.calls[1]?.[0]?.accounts[0]?.refreshToken).toBe(
+          "new-refresh",
+        );
+        expect(mockSaveAccounts.mock.calls[1]?.[0]?.accounts[0]?.accessToken).toBe(
+          "new-access",
+        );
+      } finally {
+        vi.useRealTimers();
+      }
+    });
   });
 
   describe("toAuthDetails", () => {

test/fetch-helpers.test.ts

@@ -136,6 +136,22 @@ describe('Fetch Helpers Module', () => {
 			expect(error.retryable).toBe(false);
 		});
 
+		it('treats missing refresh tokens as terminal auth errors', async () => {
+			const auth: Auth = { type: 'oauth', access: 'old', refresh: '', expires: 0 };
+			const client = { auth: { set: vi.fn() } } as any;
+			vi.spyOn(refreshQueueModule, 'queuedRefresh').mockResolvedValue({
+				type: 'failed',
+				reason: 'missing_refresh',
+				message: 'missing refresh token',
+			} as any);
+
+			const error = await refreshAndUpdateToken(auth, client).catch(
+				(err) => err as CodexAuthError,
+			);
+			expect(error).toBeInstanceOf(CodexAuthError);
+			expect(error.retryable).toBe(false);
+		});
+
 		it('updates stored auth on success', async () => {
 			const auth: Auth = { type: 'oauth', access: 'old', refresh: 'oldr', expires: 0 };
 			const client = { auth: { set: vi.fn() } } as any;