chore: release v2.1.13-beta.1 (#491)#494
Conversation
Prerelease that ships the multi-workspace support for a single email from issue #491 (PR #493) to npm under the `beta` dist-tag: persist account workspaces, surface the active workspace in list/status, a new `workspace <account> [workspace]` command to list and switch workspaces, and a `login --org <org_id>` flag to bind a specific workspace on demand. Also carries the pinned-account 503 diagnostic from v2.1.13-beta.0. Stable v2.1.13 will land once the issue #486 root cause is identified and patched.
|
Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits. |
📝 WalkthroughThis is a low-risk, prerelease maintenance PR that bumps version numbers from 2.1.13-beta.0 to 2.1.13-beta.1 across The actual feature work (multi-workspace support, persistence fixes, new commands, and login workflow enhancements) was already completed and tested in the merged feature branch ( Walkthroughversion bump from 2.1.13-beta.0 to 2.1.13-beta.1 updates plugin.json and package.json manifests, adds release notes documenting multi-workspace support with email-based workspaces keyed by org_id, and updates README and docs references to point to the new release notes. ChangesVersion 2.1.13-beta.1 Release
Estimated Code Review Effort🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| - `login --org <org_id>` (and `--org=<id>`) binds a login to a specific | ||
| workspace/org. It reuses the `CODEX_AUTH_ACCOUNT_ID` override that every login | ||
| resolver already honors, scoped to the invocation and restored afterward, so a | ||
| second workspace can be registered on demand instead of always resolving to the | ||
| default org. |
There was a problem hiding this comment.
login --org env-var mutation is a concurrency risk
the notes say the impl sets process.env.CODEX_AUTH_ACCOUNT_ID, does the login, then restores it. node is single-threaded but async — if two login --org calls overlap on the event loop (e.g. a cli invocation racing an in-process retry), the second call can read the first call's value or clobber the restore, assigning the wrong workspace to the wrong account. a scoped parameter passed through the call chain would eliminate the risk entirely. also worth checking: the exception path — if the login resolver throws before the restore runs, the env var stays mutated for the rest of the process lifetime, which on windows could also affect any child-process token writes that inherit the env.
Prompt To Fix With AI
This is a comment left during a code review.
Path: docs/releases/v2.1.13-beta.1.md
Line: 41-45
Comment:
**`login --org` env-var mutation is a concurrency risk**
the notes say the impl sets `process.env.CODEX_AUTH_ACCOUNT_ID`, does the login, then restores it. node is single-threaded but async — if two `login --org` calls overlap on the event loop (e.g. a cli invocation racing an in-process retry), the second call can read the first call's value or clobber the restore, assigning the wrong workspace to the wrong account. a scoped parameter passed through the call chain would eliminate the risk entirely. also worth checking: the exception path — if the login resolver throws before the restore runs, the env var stays mutated for the rest of the process lifetime, which on windows could also affect any child-process token writes that inherit the env.
How can I resolve this? If you propose a fix, please make it concise.
|
|
||
| - Schema round-trip preservation and a workspace-load regression that locks the | ||
| fix in place. | ||
| - Label disambiguation coverage and `formatWorkspaceLines` output coverage | ||
| (active marker, disabled annotation, indentation). | ||
| - Nine `workspace`-command cases (list, switch, persistence, already-active | ||
| no-op, disabled rejection, out-of-range and non-numeric indices). | ||
| - `login --org` argument parsing and missing-value handling. |
There was a problem hiding this comment.
the test list covers argument parsing and missing-value handling for login --org, but doesn't mention a case where the login resolver throws mid-flight and we verify CODEX_AUTH_ACCOUNT_ID is still restored to its prior value (or undefined). given the mutation pattern described above, a regression here would silently corrupt subsequent logins in the same process without any test catching it.
Prompt To Fix With AI
This is a comment left during a code review.
Path: docs/releases/v2.1.13-beta.1.md
Line: 50-57
Comment:
**missing vitest coverage for env-var restore under failure**
the test list covers argument parsing and missing-value handling for `login --org`, but doesn't mention a case where the login resolver throws mid-flight and we verify `CODEX_AUTH_ACCOUNT_ID` is still restored to its prior value (or `undefined`). given the mutation pattern described above, a regression here would silently corrupt subsequent logins in the same process without any test catching it.
How can I resolve this? If you propose a fix, please make it concise.Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
docs/releases/v2.1.13-beta.1.md (1)
68-72:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winadd required release-links block to this release note.
this note is missing the required pointers for current prerelease, current stable, prior stable, and archived release notes.
as per coding guidelines: "`docs/releases/*.md`: release notes should be organized in the releases/ directory with semantic versioning filenames ... and include current prerelease, current stable, prior stable, and archived release notes".proposed patch
## Refs - Issue `#491` — `[feature] Support registering multiple workspaces for the same email` - PR `#493` — `feat: support multiple workspaces for the same email (`#491`)` + +## Release Track Links + +- Current prerelease: [v2.1.13-beta.1](./v2.1.13-beta.1.md) +- Current stable: [v2.1.12](./v2.1.12.md) +- Prior stable: [v2.1.11](./v2.1.11.md) +- Archived release notes: [v1.3.1](./v1.3.1.md)🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/releases/v2.1.13-beta.1.md` around lines 68 - 72, The release note file v2.1.13-beta.1.md is missing the required release-links block; update this document (near the top, e.g., above or below the "## Refs" section) to include the standardized release-links block with explicit pointers for current prerelease, current stable, prior stable, and archived release notes (use the repository's canonical filenames/URLs for each target), ensuring labels match the project's release-note format and that the block is present in the v2.1.13-beta.1.md file.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@docs/releases/v2.1.13-beta.1.md`:
- Around line 68-72: The release note file v2.1.13-beta.1.md is missing the
required release-links block; update this document (near the top, e.g., above or
below the "## Refs" section) to include the standardized release-links block
with explicit pointers for current prerelease, current stable, prior stable, and
archived release notes (use the repository's canonical filenames/URLs for each
target), ensuring labels match the project's release-note format and that the
block is present in the v2.1.13-beta.1.md file.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 5078f4b8-3887-47d5-93e5-e2a92f692e2c
⛔ Files ignored due to path filters (1)
package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (5)
.codex-plugin/plugin.jsonREADME.mddocs/README.mddocs/releases/v2.1.13-beta.1.mdpackage.json
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Greptile Review
🧰 Additional context used
📓 Path-based instructions (10)
docs/{README.md,docs/**/*.md}
📄 CodeRabbit inference engine (docs/DOCUMENTATION.md)
docs/{README.md,docs/**/*.md}: Use canonical package namecodex-multi-authin all documentation
Verify internal links in documentation are valid before merge
Ensure no conflicting guidance exists between README, docs, and governance files before merge
Files:
docs/README.md
docs/{README.md,docs/getting-started.md}
📄 CodeRabbit inference engine (docs/DOCUMENTATION.md)
Update
README.mdanddocs/getting-started.mdfirst when runtime behavior changes
Files:
docs/README.md
docs/{README.md,docs/getting-started.md,docs/configuration.md,docs/troubleshooting.md,docs/reference/**/*.md}
📄 CodeRabbit inference engine (docs/DOCUMENTATION.md)
Verify every documented command is executable as written before merge
Files:
docs/README.md
docs/{docs/**/*.md,README.md}
📄 CodeRabbit inference engine (docs/DOCUMENTATION.md)
Verify paths in documentation match runtime modules (
lib/runtime-paths.ts,lib/storage.ts,lib/config.ts)
Files:
docs/README.md
docs/{README.md,docs/index.md,docs/README.md}
📄 CodeRabbit inference engine (docs/DOCUMENTATION.md)
Use accurate discoverability terms in public landing pages without keyword stuffing or ranking promises
Root README and docs landing pages should naturally include
Codex CLI,multi-account OAuth,account switching,health checks,runtime rotation,diagnostics, andrecoverywhen those topics are in scope
Files:
docs/README.md
docs/**/*.md
📄 CodeRabbit inference engine (docs/STYLE_GUIDE.md)
docs/**/*.md: User-facing documentation should follow the page template: Title and one-line lead, Quick path commands, Core operational workflow, Troubleshooting or failure handling, and Related links
Use short sections and scan-friendly tables in documentation where they improve clarity
Prefer direct, actionable language in documentation
Use runnable command examples in documentation
Explain expected outcomes after critical commands in documentation
Keep terminology consistent with runtime names in documentation
Avoid speculative language when behavior is deterministic in documentation
Put the user problem in the first paragraph before implementation detail
Use descriptive page titles such ascodex-multi-auth Featuresinstead of generic titles on public docs
Do not repeat keyword lists in every section; search terms should appear only where they help a developer understand the page
Canonical command family iscodex-multi-auth ...
Canonical runtime root is~/.codex/multi-auth
Runtime rotation must be described as default-on unless the release policy changes
Legacy command/path references belong only in migration contexts in documentation
Compatibility aliases (codex multi auth,codex multi-auth,codex multiauth) belong only in command reference, troubleshooting, or migration contexts
Keep command flags aligned with runtime usage text in documentation
Avoid non-runnable command snippets in documentation
Avoid conflicting path guidance across documentation
Avoid legacy-first onboarding language in documentationDocumentation files should follow the codex-multi-auth Documentation Portal structure with sections for Getting Started, Daily Use, Release History, Repair, Reference, Maintainer Docs, and Governance
Files:
docs/README.mddocs/releases/v2.1.13-beta.1.md
docs/{README.md,package.json,docs/development/GITHUB_DISCOVERABILITY.md}
📄 CodeRabbit inference engine (docs/STYLE_GUIDE.md)
Keep the repository description, package description, README lead, and
docs/development/GITHUB_DISCOVERABILITY.mdaligned
Files:
docs/README.md
docs/**
⚙️ CodeRabbit configuration file
keep README, SECURITY, and docs consistent with actual CLI flags and workflows. whenever behavior changes, require updated upgrade notes and mention new npm scripts.
Files:
docs/README.mddocs/releases/v2.1.13-beta.1.md
package.json
📄 CodeRabbit inference engine (SECURITY.md)
package.json: Pin hono to version 4.12.14 or higher to avoid authentication bypass vulnerability in GHSA-xh87-mx6m-69f3
Pin rollup to version ^4.59.0 or higher to avoid vulnerable versions <4.59.0 in Vite and Vitest transitive dependencies
Files:
package.json
docs/releases/*.md
📄 CodeRabbit inference engine (docs/README.md)
Release notes should be organized in the releases/ directory with semantic versioning filenames (e.g., releases/v2.1.12.md) and include current prerelease, current stable, prior stable, and archived release notes
Files:
docs/releases/v2.1.13-beta.1.md
🧠 Learnings (1)
📓 Common learnings
Learnt from: CR
Repo: ndycode/codex-multi-auth
Timestamp: 2026-05-31T02:29:05.826Z
Learning: Prefer `npm i -g codex-multi-auth` as the standard installation method for new installs
Learnt from: CR
Repo: ndycode/codex-multi-auth
Timestamp: 2026-05-31T02:29:05.826Z
Learning: Migrate from legacy scoped prerelease package `ndycode/codex-multi-auth` to `codex-multi-auth` using: `npm uninstall -g ndycode/codex-multi-auth` followed by `npm i -g codex-multi-auth`
Learnt from: CR
Repo: ndycode/codex-multi-auth
Timestamp: 2026-05-31T02:29:05.826Z
Learning: Maintain three distinct global binaries: `codex-multi-auth` for primary account manager, `codex-multi-auth-codex` for optional wrapper, and `codex-multi-auth-app-launcher` for desktop launcher helper
Learnt from: CR
Repo: ndycode/codex-multi-auth
Timestamp: 2026-05-31T02:29:05.826Z
Learning: Store settings in `~/.codex/multi-auth/settings.json` or override root with `CODEX_MULTI_AUTH_DIR=<path>`
Learnt from: CR
Repo: ndycode/codex-multi-auth
Timestamp: 2026-05-31T02:29:05.826Z
Learning: Store accounts in `~/.codex/multi-auth/openai-codex-accounts.json` and support project-scoped storage at `~/.codex/multi-auth/projects/<project-key>/openai-codex-accounts.json`
Learnt from: CR
Repo: ndycode/codex-multi-auth
Timestamp: 2026-05-31T02:29:05.826Z
Learning: Maintain runtime observability in `~/.codex/multi-auth/runtime-observability.json` to track runtime request metrics, cooldown state, and multi-auth probe visibility
Learnt from: CR
Repo: ndycode/codex-multi-auth
Timestamp: 2026-05-31T02:29:05.826Z
Learning: Support usage ledger recording at `~/.codex/multi-auth/usage/usage-ledger.jsonl` for tracking local usage by time period and project
Learnt from: CR
Repo: ndycode/codex-multi-auth
Timestamp: 2026-05-31T02:29:05.826Z
Learning: Implement health-aware account selection with quota forecasting, automatic failover, and flagged-account recovery mechanisms
Learnt from: CR
Repo: ndycode/codex-multi-auth
Timestamp: 2026-05-31T02:29:05.826Z
Learning: Enable default-on loopback Responses proxy for live account rotation inside forwarded Codex CLI/app sessions with optional opt-out via `CODEX_MULTI_AUTH_RUNTIME_ROTATION_PROXY=0`
Learnt from: CR
Repo: ndycode/codex-multi-auth
Timestamp: 2026-05-31T02:29:05.826Z
Learning: Support local bridge for `/health`, `/v1/models`, and `/v1/responses` endpoints protected by hashed local client tokens in `~/.codex/multi-auth/local-client-tokens.json`
Learnt from: CR
Repo: ndycode/codex-multi-auth
Timestamp: 2026-05-31T02:29:05.826Z
Learning: Do not disable whole-pool replay by default when every account is rate-limited; instead implement bounded outbound request budgets and cooldown logic
Learnt from: CR
Repo: ndycode/codex-multi-auth
Timestamp: 2026-05-31T02:29:05.826Z
Learning: Trigger short cooldown on repeated cross-account 5xx bursts instead of continuing aggressive rotation
Learnt from: CR
Repo: ndycode/codex-multi-auth
Timestamp: 2026-05-31T02:29:05.826Z
Learning: Stagger proactive refresh to reduce background refresh bursts and avoid thundering herd behavior
Learnt from: CR
Repo: ndycode/codex-multi-auth
Timestamp: 2026-05-31T02:29:05.826Z
Learning: Keep `codex` owned by official OpenAI install path and use `codex-multi-auth-codex ...` only when intentionally wanting this package's forwarding wrapper
Learnt from: CR
Repo: ndycode/codex-multi-auth
Timestamp: 2026-05-31T02:29:05.826Z
Learning: Support environment variable overrides for: `CODEX_MULTI_AUTH_DIR`, `CODEX_MULTI_AUTH_CONFIG_PATH`, `CODEX_MODE`, `CODEX_MULTI_AUTH_RUNTIME_ROTATION_PROXY`, `CODEX_MULTI_AUTH_APP_ROTATION_IDLE_MS`, `CODEX_MULTI_AUTH_APP_BIND_INSTALL`, `CODEX_MULTI_AUTH_APP_LAUNCHER_INSTALL`, `CODEX_TUI_V2`, `CODEX_TUI_COLOR_PROFILE`, `CODEX_TUI_GLYPHS`, `CODEX_AUTH_BACKGROUND_RESPONSES`, `CODEX_AUTH_FETCH_TIMEOUT_MS`, and `CODEX_AUTH_STREAM_STALL_TIMEOUT_MS`
Learnt from: CR
Repo: ndycode/codex-multi-auth
Timestamp: 2026-05-31T02:29:05.826Z
Learning: Enable `backgroundResponses` mode only for callers that intentionally send `background: true`, as it switches requests from stateless `store=false` to stateful `store=true` routing
Learnt from: CR
Repo: ndycode/codex-multi-auth
Timestamp: 2026-05-31T02:29:05.826Z
Learning: Implement global install/update self-heal for supported packaged Codex app binds and user-level launcher routing with `CODEX_MULTI_AUTH_APP_BIND_INSTALL=0` and `CODEX_MULTI_AUTH_APP_LAUNCHER_INSTALL=0` opt-outs
Learnt from: CR
Repo: ndycode/codex-multi-auth
Timestamp: 2026-05-31T02:29:05.826Z
Learning: Perform daily npm version check during normal forwarded Codex startup as best-effort, printing manual notice only on interactive TTY or when `CODEX_MULTI_AUTH_DEBUG=1`, never auto-running npm install
Learnt from: CR
Repo: ndycode/codex-multi-auth
Timestamp: 2026-05-31T02:29:05.826Z
Learning: Make settings and experimental features non-destructive by default: preview-first sync, preserve destination-only accounts, and fail safely on filename collisions
Learnt from: CR
Repo: ndycode/codex-multi-auth
Timestamp: 2026-05-31T02:29:13.375Z
Learning: Daily-use documentation should clearly distinguish between common workflows, quick-start commands, and recovery shortcuts
Learnt from: CR
Repo: ndycode/codex-multi-auth
Timestamp: 2026-05-31T02:29:13.375Z
Learning: Documentation should include clear information architecture with table-of-contents sections that link to focused documents covering specific capabilities (multi-account OAuth, runtime rotation, diagnostics, recovery, storage, and dashboard)
Learnt from: CR
Repo: ndycode/codex-multi-auth
Timestamp: 2026-05-31T02:29:22.057Z
Learning: Multi-workspace support should key quota pools by `org_id` to allow a single email/account belonging to multiple ChatGPT workspaces (e.g., personal and business) to be tracked separately
Learnt from: CR
Repo: ndycode/codex-multi-auth
Timestamp: 2026-05-31T02:29:22.057Z
Learning: Support both paths for obtaining workspace orgs from a two-workspace login: single token containing both orgs (handled by `workspace` command) and sequential tokens (handled by `login --org`)
🔇 Additional comments (4)
.codex-plugin/plugin.json (1)
3-3: LGTM!package.json (1)
3-3: LGTM!README.md (1)
386-386: LGTM!docs/README.md (1)
35-35: LGTM!
1 participant
Summary
Prerelease
v2.1.13-beta.1, shipping the issue #491 multi-workspace work (merged in #493) to the npmbetadist-tag.Bumps
package.json,package-lock.json, and.codex-plugin/plugin.jsonto2.1.13-beta.1, addsdocs/releases/v2.1.13-beta.1.md, and repoints the current-prerelease links inREADME.mdanddocs/README.md.Contents
workspaces/currentWorkspaceIndex(root-cause Zod-strip fix).list/statuslabels and list every workspace under an account.workspace <account> [workspace]command (list + switch active workspace).login --org <org_id>flag to bind a specific workspace on demand.v2.1.13-beta.0.Release steps after merge
v2.1.13-beta.1on the squash-merge commit andgh release createas a prerelease using the notes file.npm publish --tag beta(run separately with publish credentials).Notes
lateststays2.1.12. Stablev2.1.13waits on the issue [bug] 503 Service Unavailable #486 root cause.Verification
npm run build- cleanpackage.json,package-lock.json,.codex-plugin/plugin.json(2.1.13-beta.1)npm test4043 passed, 269 files)note: greptile review for oc-chatgpt-multi-auth. cite files like
lib/foo.ts:123. confirm regression tests + windows concurrency/token redaction coverage.Greptile Summary
prerelease version bump from
v2.1.13-beta.0→v2.1.13-beta.1, shipping multi-workspace support (#491/#493) to the npmbetadist-tag. all version fields are consistent acrosspackage.json,package-lock.json, and.codex-plugin/plugin.json; readme links and the new release notes file are coherent.docs/releases/v2.1.13-beta.1.mdwith full feature, fix, and known-gap notes for the multi-workspace work.login --orgis documented to temporarily mutateprocess.env.CODEX_AUTH_ACCOUNT_IDand restore it afterward — a pattern worth watching for async-concurrency safety in the underlying impl.Confidence Score: 4/5
safe to merge as a prerelease bump; the version files are consistent and the docs are accurate, but the underlying login --org env-var mutation pattern described in the notes carries a real async-concurrency and exception-safety risk in the feature code that shipped in #493.
the diff itself is mechanical — version strings and docs only — so merge risk is low. the concern is what the release notes document: login --org temporarily mutates a shared process env var without a try/finally guard visible in the notes, meaning a thrown exception or a concurrent async login call could leave CODEX_AUTH_ACCOUNT_ID set to the wrong org for the rest of the process, silently binding subsequent accounts to the wrong workspace.
docs/releases/v2.1.13-beta.1.md documents the env-var mutation pattern; the actual implementation from #493 should be verified for a try/finally restore guard and absence of concurrent call paths.
Important Files Changed
Sequence Diagram
sequenceDiagram participant User participant CLI participant LoginResolver participant Storage participant Env as process.env User->>CLI: "login --org <org_id>" CLI->>Env: "set CODEX_AUTH_ACCOUNT_ID = org_id" CLI->>LoginResolver: resolve(account) LoginResolver->>Storage: read accounts (Zod V3 schema) Note over Storage: workspaces / currentWorkspaceIndex now preserved (Zod-strip fix) Storage-->>LoginResolver: AccountMetadataV3 with workspaces[] LoginResolver-->>CLI: token + workspace binding CLI->>Env: restore CODEX_AUTH_ACCOUNT_ID (prev value) CLI->>Storage: persist updated account with workspace User->>CLI: "workspace <account> [workspace]" CLI->>Storage: read account workspaces[] alt workspace index provided CLI->>Storage: set currentWorkspaceIndex, persist CLI-->>User: switched to workspace name else no index CLI-->>User: list workspaces (active marked, disabled flagged) endPrompt To Fix All With AI
Reviews (1): Last reviewed commit: "chore: release v2.1.13-beta.1 (#491)" | Re-trigger Greptile