fix: clarify manual callback fallback messaging

Author: ndycode

lib/codex-manager.ts

@@ -1511,7 +1511,8 @@ async function runOAuthFlow(
 			);
 		}
 
-		if (!preferManualMode && oauthServer?.ready) {
+		const waitingForCallback = !preferManualMode && oauthServer?.ready === true;
+		if (waitingForCallback && oauthServer) {
 			console.log(stylePromptText(UI_COPY.oauth.waitingCallback, "muted"));
 			const callbackResult = await oauthServer.waitForCode(state);
 			code = callbackResult?.code ?? null;
@@ -1520,7 +1521,9 @@ async function runOAuthFlow(
 		if (!code) {
 			console.log(
 				stylePromptText(
-					oauthServer?.ready ? UI_COPY.oauth.callbackMissed : UI_COPY.oauth.callbackUnavailable,
+					waitingForCallback
+						? UI_COPY.oauth.callbackMissed
+						: UI_COPY.oauth.callbackUnavailable,
 					"warning",
 				),
 			);

test/codex-manager-cli.test.ts

@@ -2953,11 +2953,12 @@ describe("codex manager cli commands", () => {
 		expect(withAccountStorageTransactionMock).toHaveBeenCalledTimes(1);
 		expect(storageState.accounts).toHaveLength(2);
 		expect(storageState.activeIndex).toBe(1);
-	expect(storageState.activeIndexByFamily.codex).toBe(1);
-	expect(setCodexCliActiveSelectionMock).toHaveBeenCalledTimes(1);
-});
+		expect(storageState.activeIndexByFamily.codex).toBe(1);
+		expect(setCodexCliActiveSelectionMock).toHaveBeenCalledTimes(1);
+	});
 
 	it("supports --manual login without launching a browser", async () => {
+		setInteractiveTTY(true);
 		const now = Date.now();
 		let storageState = {
 			version: 3 as const,
@@ -2999,13 +3000,19 @@ describe("codex manager cli commands", () => {
 		promptQuestionMock.mockResolvedValueOnce(
 			"http://127.0.0.1:1455/auth/callback?code=oauth-code&state=oauth-state",
 		);
+		const logSpy = vi.spyOn(console, "log").mockImplementation(() => {});
 
 		const { runCodexMultiAuthCli } = await import("../lib/codex-manager.js");
 		const exitCode = await runCodexMultiAuthCli(["auth", "login", "--manual"]);
+		const renderedLogs = logSpy.mock.calls.flat().map((entry) => String(entry));
 
 		expect(exitCode).toBe(0);
 		expect(openBrowserUrlMock).not.toHaveBeenCalled();
 		expect(waitForCodeMock).not.toHaveBeenCalled();
+		expect(renderedLogs.some((entry) => entry.includes("Callback listener unavailable"))).toBe(
+			true,
+		);
+		expect(renderedLogs.some((entry) => entry.includes("No callback received"))).toBe(false);
 		expect(storageState.accounts).toHaveLength(1);
 	});
 
@@ -3058,6 +3065,96 @@ describe("codex manager cli commands", () => {
 		expect(storageState.accounts).toHaveLength(1);
 	});
 
+	it("rejects mismatched manual callback state in non-tty mode without persisting login", async () => {
+		setInteractiveTTY(false);
+		let storageState = {
+			version: 3 as const,
+			activeIndex: 0,
+			activeIndexByFamily: { codex: 0 },
+			accounts: [] as Array<Record<string, unknown>>,
+		};
+		loadAccountsMock.mockImplementation(async () => structuredClone(storageState));
+		saveAccountsMock.mockImplementation(async (nextStorage) => {
+			storageState = structuredClone(nextStorage);
+		});
+		promptLoginModeMock.mockResolvedValueOnce({ mode: "cancel" });
+		promptQuestionMock.mockResolvedValueOnce(
+			"http://127.0.0.1:1455/auth/callback?code=oauth-code&state=wrong-state",
+		);
+
+		const authModule = await import("../lib/auth/auth.js");
+		vi.mocked(authModule.createAuthorizationFlow).mockResolvedValueOnce({
+			pkce: { challenge: "pkce-challenge", verifier: "pkce-verifier" },
+			state: "oauth-state",
+			url: "https://auth.openai.com/mock",
+		});
+		const exchangeAuthorizationCodeMock = vi.mocked(authModule.exchangeAuthorizationCode);
+
+		const browserModule = await import("../lib/auth/browser.js");
+		const openBrowserUrlMock = vi.mocked(browserModule.openBrowserUrl);
+		const serverModule = await import("../lib/auth/server.js");
+		vi.mocked(serverModule.startLocalOAuthServer).mockRejectedValueOnce(
+			new Error("port in use"),
+		);
+
+		const { runCodexMultiAuthCli } = await import("../lib/codex-manager.js");
+		const exitCode = await runCodexMultiAuthCli(["auth", "login", "--manual"]);
+
+		expect(exitCode).toBe(0);
+		expect(promptQuestionMock).toHaveBeenCalledWith("");
+		expect(openBrowserUrlMock).not.toHaveBeenCalled();
+		expect(exchangeAuthorizationCodeMock).not.toHaveBeenCalled();
+		expect(storageState.accounts).toHaveLength(0);
+	});
+
+	it("falls back to pasted manual input when Windows-style callback bind fails", async () => {
+		setInteractiveTTY(false);
+		const now = Date.now();
+		let storageState = {
+			version: 3 as const,
+			activeIndex: 0,
+			activeIndexByFamily: { codex: 0 },
+			accounts: [] as Array<Record<string, unknown>>,
+		};
+		loadAccountsMock.mockImplementation(async () => structuredClone(storageState));
+		saveAccountsMock.mockImplementation(async (nextStorage) => {
+			storageState = structuredClone(nextStorage);
+		});
+		promptLoginModeMock.mockResolvedValueOnce({ mode: "cancel" });
+		promptQuestionMock.mockResolvedValueOnce(
+			"http://127.0.0.1:1455/auth/callback?code=oauth-code&state=oauth-state",
+		);
+
+		const authModule = await import("../lib/auth/auth.js");
+		vi.mocked(authModule.createAuthorizationFlow).mockResolvedValueOnce({
+			pkce: { challenge: "pkce-challenge", verifier: "pkce-verifier" },
+			state: "oauth-state",
+			url: "https://auth.openai.com/mock",
+		});
+		vi.mocked(authModule.exchangeAuthorizationCode).mockResolvedValueOnce({
+			type: "success",
+			access: "access-eacces",
+			refresh: "refresh-eacces",
+			expires: now + 7_200_000,
+			idToken: "id-token-eacces",
+			multiAccount: true,
+		});
+
+		const browserModule = await import("../lib/auth/browser.js");
+		const openBrowserUrlMock = vi.mocked(browserModule.openBrowserUrl);
+		const serverModule = await import("../lib/auth/server.js");
+		vi.mocked(serverModule.startLocalOAuthServer).mockRejectedValueOnce(
+			Object.assign(new Error("permission denied"), { code: "EACCES" }),
+		);
+
+		const { runCodexMultiAuthCli } = await import("../lib/codex-manager.js");
+		const exitCode = await runCodexMultiAuthCli(["auth", "login", "--manual"]);
+
+		expect(exitCode).toBe(0);
+		expect(promptQuestionMock).toHaveBeenCalledWith("");
+		expect(openBrowserUrlMock).not.toHaveBeenCalled();
+		expect(storageState.accounts).toHaveLength(1);
+	});
 	it("preserves distinct same-email workspaces when oauth login reuses a refresh token", async () => {
 		const now = Date.now();
 		let storageState = {