fix: detect token invalidation in 401 responses and stop cascade rotation

[ndycode]

Summary

Fixes #495 — rotation gateway triggers mass OAuth token invalidation across accounts.

• Detect token invalidation specifically: The 401 handler now reads the response body and checks for explicit invalidation phrases ("invalidated oauth token", "authentication token has been invalidated", etc.), distinguishing them from generic expired-token 401s.
• Stop cascade rotation on invalidation: When detected, the 401 is returned directly to the client instead of rotating to the next account. Rotating was the root cause — presenting each account's OAuth token from the same IP in rapid succession triggered OpenAI's anti-abuse detection and invalidated them in sequence.
• Apply long cooldown: Invalidated accounts get a 5-minute cooldown (configurable via CODEX_AUTH_TOKEN_INVALIDATION_COOLDOWN_MS or tokenInvalidationCooldownMs in config) vs the generic 30-second auth-failure cooldown.
• Clear session affinity: Session affinity for the affected session key is cleared so the next request can pick a healthy account.

Generic 401 responses (expired tokens, wrong credentials) continue to rotate as before.

Test plan

• New test: invalidation body → 401 returned to client, no rotation, cooldown applied
• New test: generic 401 body → still rotates to next account (regression guard)
• Full suite: 4047 tests pass
• TypeScript: clean (tsc --noEmit)
• Schema: tokenInvalidationCooldownMs added to Zod schema with min(0), allows-zero and rejects-string coverage added

note: greptile review for oc-chatgpt-multi-auth. cite files like lib/foo.ts:123. confirm regression tests + windows concurrency/token redaction coverage.

Greptile Summary

adds token-invalidation detection to the 401 handler (both the upstream response path and the refresh-endpoint failure path), stops cascade rotation by returning the 401 directly to the client, and applies a configurable 5-minute cooldown. a second feature (minRotationIntervalMs) adds a sticky score boost toward the last-served account to reduce how often a different OAuth token is presented from the same IP within the configured window.

• invalidation detection (TOKEN_INVALIDATION_PHRASES + isTokenInvalidationError) and applyMonotonicAuthCooldown address the cascade failure from issue Rotation gateway triggers mass OAuth token invalidation across accounts #495; both refresh-failure and upstream-401 paths clear session affinity on detection.
• minRotationIntervalMs sliding anchor (lastGlobalSwitchAt updated every successful serve, not only on account change) prevents the sticky window from expiring prematurely between back-to-back requests on the same account.
• schema, config, docs, and 7 new vitest cases are all consistent with the implementation.

Confidence Score: 5/5

safe to merge; the invalidation-detection and cascade-stop logic is correct and well-tested, with no regressions to the generic-401 rotation path.

the two new 401 exit paths are both exercised by dedicated tests, the monotonic-cooldown helper correctly gates writes on the live account state, and the sliding-anchor test guards the key regression. the findings here are design-level observations that don't affect correctness in any current code path.

lib/runtime-rotation-proxy.ts — the two token-invalidation exit paths produce structurally different response bodies, and applyMonotonicAuthCooldown uses Date.now() rather than the proxy's injected now function.

Important Files Changed

Filename	Overview
lib/runtime-rotation-proxy.ts	core change: adds TOKEN_INVALIDATION_PHRASES detection, applyMonotonicAuthCooldown helper (uses Date.now() directly rather than injected now), invalidation early-return in both the refresh and upstream-401 paths, minRotationIntervalMs sticky-boost logic, and lastGlobalSwitchAt sliding anchor; the two invalidation exit paths produce asymmetric response bodies for clients
lib/config.ts	adds getTokenInvalidationCooldownMs and getMinRotationIntervalMs with correct env-var resolution, min(0) guards, and CONFIG_EXPLAIN_ENTRIES entries; default values match schema and docs
lib/schemas.ts	tokenInvalidationCooldownMs and minRotationIntervalMs added to PluginConfigSchema with z.number().min(0).optional(); consistent with other cooldown fields
test/runtime-rotation-proxy.test.ts	7 new tests cover upstream-401 invalidation, refresh-path invalidation, empty body, generic-401 rotation, html body, sticky-boost, and sliding-anchor regression; cooldown duration bounds are asserted for both the 5-min and 30s cases
docs/configuration.md	adds env-var table rows and anti-abuse prose for both new knobs; accurate defaults match config.ts
docs/troubleshooting.md	new troubleshooting section for cascade token invalidation; guidance and env-var references are consistent with the implementation

Sequence Diagram

sequenceDiagram
    participant C as Client
    participant P as Proxy
    participant AM as AccountManager
    participant U as Upstream (OpenAI)

    C->>P: POST /responses

    rect rgb(220, 240, 220)
        Note over P: minRotationIntervalMs sticky-boost applied to chooseAccount
        P->>AM: ensureFreshAccessToken()
        alt refresh endpoint returns invalidation message
            AM-->>P: "{ok:false, invalidated:true}"
            P->>AM: applyMonotonicAuthCooldown(5 min)
            P->>P: forgetSession(sessionKey)
            P-->>C: "401 {error:{code:"token_invalidated"}}"
            Note over P: return — no rotation
        else refresh succeeds
            AM-->>P: "{ok:true, accessToken}"
            P->>U: proxied request
            alt upstream returns 401 with invalidation body
                U-->>P: 401 "invalidated oauth token"
                P->>AM: applyMonotonicAuthCooldown(5 min)
                P->>P: forgetSession(sessionKey)
                P-->>C: 401 raw upstream body
                Note over P: return — no rotation
            else upstream returns generic 401
                U-->>P: 401 "Unauthorized"
                P->>AM: applyMonotonicAuthCooldown(30 s)
                P->>P: continue loop → rotate account
            else upstream returns 200
                U-->>P: 200 stream
                P->>AM: recordSuccess()
                P->>P: "lastGlobalSwitchAt = now()"
                P-->>C: 200 streamed response
            end
        end
    end

Loading

Comments Outside Diff (1)

1. lib/runtime-rotation-proxy.ts, line 1666-1700 (link)

   concurrency: racing generic-401 path can overwrite the 5-minute invalidation cooldown

   markAccountCoolingDown is an unconditional overwrite (account.coolingDownUntil = nowMs() + ms). if two concurrent requests hit the same account and one gets an invalidation 401 while the other gets a generic 401, the generic path (executing after the invalidation path sets 5 min) overwrites it with 30 seconds. the window is narrow but non-zero — a request inflight before invalidation is detected racing against the first detected invalidation response. a "take the maximum" check in markAccountCoolingDown would close this.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: lib/runtime-rotation-proxy.ts
   Line: 1666-1700
   
   Comment:
   **concurrency: racing generic-401 path can overwrite the 5-minute invalidation cooldown**
   
   `markAccountCoolingDown` is an unconditional overwrite (`account.coolingDownUntil = nowMs() + ms`). if two concurrent requests hit the same account and one gets an invalidation 401 while the other gets a generic 401, the generic path (executing after the invalidation path sets 5 min) overwrites it with 30 seconds. the window is narrow but non-zero — a request inflight before invalidation is detected racing against the first detected invalidation response. a "take the maximum" check in `markAccountCoolingDown` would close this.
   
   How can I resolve this? If you propose a fix, please make it concise.

   

Prompt To Fix All With AI

Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
lib/runtime-rotation-proxy.ts:663-671
**`applyMonotonicAuthCooldown` bypasses the injected `now` clock**

the function calls `Date.now()` directly for its monotonic comparison, while the rest of the proxy routes all time reads through the injectable `now()` closure (set via `options.now` in tests). if a test ever injects a custom `now` that isn't `Date.now` — or if fake timers stub `Date` but the proxy's `now` reference is captured before the stub — the monotonic guard operates on a different clock than the cooldown deadline it's comparing against, silently defeating the race protection. pass `now` as a parameter or capture it from the outer closure the same way the rest of the loop does.

### Issue 2 of 2
lib/runtime-rotation-proxy.ts:1738-1746
**asymmetric 401 body between the two invalidation paths**

the refresh-failure invalidation path (earlier in the loop) synthesises `{error: {message: "...", code: "token_invalidated"}}`, giving clients a stable machine-readable `code` field. this upstream-401 invalidation path forwards the raw OpenAI error body, which won't contain `code: "token_invalidated"`. any client (or operator tooling) that detects "explicitly invalidated vs generic 401" by checking `error.code` will catch one path but silently miss the other. consider injecting the same synthesised wrapper here, or at minimum overwriting the body so the `code` field is consistent across both paths.

_{Reviews (6): Last reviewed commit: "docs: document token-invalidation anti-a..." | Re-trigger Greptile}

[chatgpt-codex-connector]

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

adds token-invalidation-cooldown config and detection to the runtime proxy. on matching upstream 401 bodies the proxy refunds the runtime token, marks the account with an auth-failure cooldown, clears session affinity, persists account state, records a token_invalidated observability event, and returns the upstream 401 to the client without rotating. see lib/config.ts:1407-1448 and lib/runtime-rotation-proxy.ts:1729-1758.

Changes

token invalidation cooldown + rotation

Layer / File(s)	Summary
schema, defaults, and getter lib/schemas.ts:73, lib/config.ts:201, lib/config.ts:1407-1448, lib/config.ts:1869-1878, test/schemas.test.ts:101-102, test/plugin-config.test.ts:163-164,236-237,553-554,627-628,695-696, test/codex-manager-cli.test.ts:1178	PluginConfigSchema adds optional tokenInvalidationCooldownMs (lib/schemas.ts:73). DEFAULT_PLUGIN_CONFIG sets it to 5 * 60_000 (lib/config.ts:201). new getter getTokenInvalidationCooldownMs() resolves CODEX_AUTH_TOKEN_INVALIDATION_COOLDOWN_MS with clamp >=0 (lib/config.ts:1407-1448). config explain entry added (lib/config.ts:1869-1878). tests updated to expect the new default.
proxy: classifier & monotonic cooldown helper lib/runtime-rotation-proxy.ts:20,121-139,659-673	introduces TOKEN_INVALIDATION_PHRASES and isTokenInvalidationError() for case-insensitive substring matching of revocation messages (lib/runtime-rotation-proxy.ts:121-139). adds applyMonotonicAuthCooldown() to extend cooling windows only when larger (lib/runtime-rotation-proxy.ts:659-673). imports config getter (lib/runtime-rotation-proxy.ts:20).
token refresh handling lib/runtime-rotation-proxy.ts:737-763	ensureFreshAccessToken() now accepts tokenInvalidationCooldownMs, detects invalidation on refresh failure, applies the long cooldown and persists account state, and returns { invalidated } to stop rotation cascades (lib/runtime-rotation-proxy.ts:737-763).
upstream 401 passthrough and early exit lib/runtime-rotation-proxy.ts:1509-1534,1729-1758	when ensureFreshAccessToken reports { invalidated } proxy refunds token, clears affinity, returns 401 JSON {code: "token_invalidated"} and stops rotation (lib/runtime-rotation-proxy.ts:1509-1534). on upstream 401 that matches invalidation phrases proxy refunds token, applies tokenInvalidationCooldownMs monotonically, clears affinity, persists, records errorCode: "token_invalidated", and forwards the upstream 401 unchanged (lib/runtime-rotation-proxy.ts:1729-1758).
chooseAccount sticky boost & global trackers lib/runtime-rotation-proxy.ts:914-993,1229-1235,1445-1462,1836-1839	chooseAccount gains optional stickyBoostByAccount merged into scoring (lib/runtime-rotation-proxy.ts:914-993). proxy reads tokenInvalidationCooldownMs, tracks lastGlobalAccountIndex/lastGlobalSwitchAt, computes rotationStickyBoost during min-rotation windows and passes it into chooseAccount, and updates trackers on forwarded-account changes (lib/runtime-rotation-proxy.ts:1229-1235,1445-1462,1836-1839).
tests: runtime rotation and validation test/runtime-rotation-proxy.test.ts:1842-2032, test/schemas.test.ts:101-102, test/plugin-config.test.ts:163-696, test/codex-manager-cli.test.ts:1178	adds/updates tests covering upstream invalidation 401 passthrough, generic 401 rotation and recovery, empty-body handling, OAuth refresh invalidation behavior, min-rotation sliding anchor and sticky behavior, detection in non-JSON 401 bodies, and schema/config expectations. see test/runtime-rotation-proxy.test.ts:1842-2032.

Sequence Diagram(s)

sequenceDiagram
  participant client as client
  participant proxy as lib/runtime-rotation-proxy.ts
  participant upstream as upstream/auth or model
  participant store as account store / persistence

  client->>proxy: request using runtime token
  proxy->>upstream: forward request
  upstream-->>proxy: 401 with body
  proxy->>proxy: isTokenInvalidationError(body)
  alt invalidation detected
    proxy->>store: refund token, mark coolingUntil using tokenInvalidationCooldownMs
    proxy->>store: clear session affinity, persist account state
    proxy-->>client: forward upstream 401 (status/headers/body)
    proxy->>store: record usage errorCode: "token_invalidated"
  else generic 401
    proxy->>proxy: apply auth-failure cooldown (short)
    proxy->>proxy: rotate to next account and retry
    proxy-->>client: recovered stream (200) or final response
  end

Loading

estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

possibly related PRs

• ndycode/codex-multi-auth#480: overlaps in chooseAccount parameter/selection changes.
• ndycode/codex-multi-auth#438: base runtime rotation proxy this PR extends.

suggested labels

bug

notes:

• missing regression tests. add parameterized tests for varied casing and localized/non-english upstream messages containing revocation phrases. see test/runtime-rotation-proxy.test.ts:1918-1953 and test/runtime-rotation-proxy.test.ts:2014-2032.
• windows / encoding edge cases. isTokenInvalidationError() uses case-insensitive substring matching; add tests for non-utf8 or platform-encoded bodies to ensure matching survives encoding differences. see lib/runtime-rotation-proxy.ts:121-139 and test/runtime-rotation-proxy.test.ts:2014-2032.
• concurrency risk on account state persistence. the code persists account state after marking cooldown; verify persistAccountState() is atomic or externally synchronized to avoid lost updates when multiple detectors run concurrently. see lib/runtime-rotation-proxy.ts:1729-1758.

🚥 Pre-merge checks | ✅ 2 | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	Title is 73 characters but the requirement specifies maximum 72 characters in the summary.	Reduce title by 1 character. Consider: 'fix: detect token invalidation in 401 responses and stop rotation' (71 chars).
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Out of Scope Changes check	❓ Inconclusive	The minRotationIntervalMs sticky-boost mechanism in chooseAccount and the sliding-window tracking (lastGlobalSwitchAt) extend beyond the core invalidation detection and cascade-stop objectives, though they address root-cause prevention.	Clarify whether minRotationIntervalMs sticky boost is in scope for #495 or should be a separate follow-up. If in-scope, verify it doesn't introduce unintended account-stickiness regressions across different user workflows.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	All five coding objectives from #495 are met: detects token invalidation via phrases in 401 bodies [#495], stops cascade rotation [#495], applies longer cooldown [#495], clears session affinity [#495], reduces rapid switching via minRotationIntervalMs [#495].
Description check	✅ Passed	PR description comprehensively covers the fix, test plan, validation steps, and includes greptile review with specific file citations and risk flagging.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/495-token-invalidation

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/495-token-invalidation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

redundant phrases in TOKEN_INVALIDATION_PHRASES

phrases 2 and 3 ("authentication token has been invalidated" and "oauth token has been invalidated") are both substrings of phrase 4 ("token has been invalidated"), so the .some() check will already match them via the broader phrase. phrases 2 and 3 are dead code. either remove phrase 4 to keep the more specific set, or drop phrases 2 and 3 since phrase 4 already covers them.

Suggested change

	const TOKEN_INVALIDATION_PHRASES = [
	"invalidated oauth token",
	"authentication token has been invalidated",
	"oauth token has been invalidated",
	"token has been invalidated",
	] as const;
	const TOKEN_INVALIDATION_PHRASES = [
	"invalidated oauth token",
	"token has been invalidated",
	] as const;

Prompt To Fix With AI

This is a comment left during a code review.
Path: lib/runtime-rotation-proxy.ts
Line: 124-129

Comment:
**redundant phrases in TOKEN_INVALIDATION_PHRASES**

phrases 2 and 3 (`"authentication token has been invalidated"` and `"oauth token has been invalidated"`) are both substrings of phrase 4 (`"token has been invalidated"`), so the `.some()` check will already match them via the broader phrase. phrases 2 and 3 are dead code. either remove phrase 4 to keep the more specific set, or drop phrases 2 and 3 since phrase 4 already covers them.

```suggestion
const TOKEN_INVALIDATION_PHRASES = [
	"invalidated oauth token",
	"token has been invalidated",
] as const;
```

How can I resolve this? If you propose a fix, please make it concise.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[greptile-apps]

cooldownReason does not distinguish token invalidation from generic auth failure

both the invalidation path and the generic 401 path record "auth-failure" as the CooldownReason. since CooldownReason is a union in lib/storage/migrations.ts, adding "token-invalidated" would let operators distinguish a 5-minute invalidation cooldown from a 30-second auth cooldown in stored account state. the current state makes codex-multi-auth rotation status output ambiguous for affected accounts.

Prompt To Fix With AI

This is a comment left during a code review.
Path: lib/runtime-rotation-proxy.ts
Line: 1672-1676

Comment:
**cooldownReason does not distinguish token invalidation from generic auth failure**

both the invalidation path and the generic 401 path record `"auth-failure"` as the `CooldownReason`. since `CooldownReason` is a union in `lib/storage/migrations.ts`, adding `"token-invalidated"` would let operators distinguish a 5-minute invalidation cooldown from a 30-second auth cooldown in stored account state. the current state makes `codex-multi-auth rotation status` output ambiguous for affected accounts.

How can I resolve this? If you propose a fix, please make it concise.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

test/schemas.test.ts (1)

33-77: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

add tokenInvalidationCooldownMs to the full config test for consistency.

the test includes networkErrorCooldownMs (line 68) and serverErrorCooldownMs (line 69) but omits the new tokenInvalidationCooldownMs field. for completeness and to verify the field integrates correctly with the full config object, add it here.

suggested addition

 		networkErrorCooldownMs: 6000,
 		serverErrorCooldownMs: 4000,
+		tokenInvalidationCooldownMs: 300000,
 		preemptiveQuotaEnabled: true,

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/schemas.test.ts` around lines 33 - 77, The full-config unit test is
missing the new tokenInvalidationCooldownMs field; update the test that
constructs the config object in the "accepts valid full config" case so it
includes tokenInvalidationCooldownMs with an appropriate numeric value (near
other cooldowns like networkErrorCooldownMs and serverErrorCooldownMs) before
calling PluginConfigSchema.safeParse; this ensures PluginConfigSchema (used in
the test) validates the new field along with networkErrorCooldownMs and
serverErrorCooldownMs.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@lib/runtime-rotation-proxy.ts`:
- Around line 121-129: Add a comment block above TOKEN_INVALIDATION_PHRASES
explaining these strings were observed in OpenAI/Microsoft error response bodies
when an OAuth token was explicitly revoked (not just expired), include the
provenance (source provider and date/CI run where observed) and note that this
list is used to detect non-retryable revoked-token errors in
runtime-rotation-proxy; instruct maintainers to add new phrases to
TOKEN_INVALIDATION_PHRASES when encountering different wording in production,
record the source and date in the comment, update any associated tests that
assert revoked-token detection (and run the test suite), and keep the list in
sync with provider docs/changelog.

In `@test/runtime-rotation-proxy.test.ts`:
- Around line 1843-1889: Add edge-case tests to runtime-rotation-proxy.test.ts
targeting phrase-detection robustness: (1) a 401 with an empty body should NOT
be treated as an explicit invalidation and should trigger rotation — use
AccountManager, createRecordingFetch((_call, attempt) => attempt === 1 ? new
Response("", { status: HTTP_STATUS.UNAUTHORIZED }) : textEventStream(...)) and
assert two upstream calls and proxy.getStatus().rotations increased; (2) a 401
with a non-JSON/html body containing the invalidation phrase (e.g.,
"<html>...oauth token has been invalidated...</html>") should be detected as
invalidation — return that Response via createRecordingFetch and assert no
rotation and accountManager.getAccountByIndex(0)?.cooldownReason ===
"auth-failure"; (3) simulate concurrent invalidation races by firing multiple
postResponses(proxy, ...) in parallel against a fetchImpl that returns the
invalidation response for the first N concurrent calls and ensure the account is
cooled once and rotations/call counts match expected behavior; reuse startProxy,
postResponses, createRecordingFetch and assert calls, headers
(OPENAI_HEADERS.ACCOUNT_ID), cooldownReason and proxy.getStatus().rotations
accordingly.
- Around line 1866-1889: Add a deterministic assertion that the first account's
coolingDownUntil uses the short auth-failure cooldown: after the simulated
generic 401, check AccountManager (the local accountManager variable used to
startProxy) for the first account's coolingDownUntil and assert it is
approximately now + 30_000 (use a small delta window, e.g. between now + 29_900
and now + 30_100) to ensure the generic 401 path sets the short cooldown rather
than the long invalidation cooldown.
- Around line 1843-1864: Update the test so it verifies the invalidation
cooldown duration and that session affinity was cleared: after calling
postResponses(proxy, ...) assert
accountManager.getAccountByIndex(0)?.coolingDownUntil is approximately now +
300_000 (5 minutes) rather than 30_000, and also send a request with
metadata.session_id (e.g. "session-invalidated") and assert that the session was
forgotten (i.e., subsequent requests are not routed to the same account;
reference the forgetSession behavior invoked in lib/runtime-rotation-proxy.ts),
keeping existing checks for cooldownReason ("auth-failure") and rotations; use
startProxy, postResponses, AccountManager.getAccountByIndex and
proxy.getStatus() to locate the relevant state.

---

Outside diff comments:
In `@test/schemas.test.ts`:
- Around line 33-77: The full-config unit test is missing the new
tokenInvalidationCooldownMs field; update the test that constructs the config
object in the "accepts valid full config" case so it includes
tokenInvalidationCooldownMs with an appropriate numeric value (near other
cooldowns like networkErrorCooldownMs and serverErrorCooldownMs) before calling
PluginConfigSchema.safeParse; this ensures PluginConfigSchema (used in the test)
validates the new field along with networkErrorCooldownMs and
serverErrorCooldownMs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: e003d052-2904-4e54-86f7-bd9bd4efdb84

📥 Commits

Reviewing files that changed from the base of the PR and between 33e4b22 and 9bf35e1.

📒 Files selected for processing (7)

• lib/config.ts
• lib/runtime-rotation-proxy.ts
• lib/schemas.ts
• test/codex-manager-cli.test.ts
• test/plugin-config.test.ts
• test/runtime-rotation-proxy.test.ts
• test/schemas.test.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Greptile Review

🧰 Additional context used

📓 Path-based instructions (11)

**/*.{ts,tsx,js,mjs}

📄 CodeRabbit inference engine (AGENTS.md)

Use ESM only ("type": "module"), Node >= 18

Files:

• test/schemas.test.ts
• test/codex-manager-cli.test.ts
• test/runtime-rotation-proxy.test.ts
• lib/schemas.ts
• lib/config.ts
• test/plugin-config.test.ts
• lib/runtime-rotation-proxy.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Do not use as any, @ts-ignore, or @ts-expect-error TypeScript assertions

Files:

• test/schemas.test.ts
• test/codex-manager-cli.test.ts
• test/runtime-rotation-proxy.test.ts
• lib/schemas.ts
• lib/config.ts
• test/plugin-config.test.ts
• lib/runtime-rotation-proxy.ts

{**/scripts/**/*.js,**/test/**/*.ts}

📄 CodeRabbit inference engine (AGENTS.md)

Do not use bare recursive delete logic in Windows-sensitive scripts/tests without retry handling for transient EBUSY/EPERM/ENOTEMPTY errors

Files:

• test/schemas.test.ts
• test/codex-manager-cli.test.ts
• test/runtime-rotation-proxy.test.ts
• test/plugin-config.test.ts

test/**/*.test.ts

📄 CodeRabbit inference engine (test/AGENTS.md)

test/**/*.test.ts: Vitest globals (describe, it, expect) are enabled and should be used without explicit imports
Maintain 80% coverage threshold across statements, branches, functions, and lines
Use removeWithRetry for Windows filesystem cleanup instead of bare fs.rm to handle EBUSY/EPERM/ENOTEMPTY backoff
Use source files in tests, not compiled dist/ files; test the source directly
Do not skip tests without justification; include rationale if a test must be skipped
Relax ESLint rules for test files as specified in eslint.config.js

Files:

• test/schemas.test.ts
• test/codex-manager-cli.test.ts
• test/runtime-rotation-proxy.test.ts
• test/plugin-config.test.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (README.md)

**/*.{ts,tsx,js,jsx}: Implement default-on runtime Responses rotation for request-bearing forwarded Codex CLI/app sessions, with opt-out support via CODEX_MULTI_AUTH_RUNTIME_ROTATION_PROXY=0
Store project-scoped accounts under ~/.codex/multi-auth/projects/<project-key>/openai-codex-accounts.json for repo-specific workflows
Support environment variable overrides for configuration including CODEX_MULTI_AUTH_DIR, CODEX_MODE, CODEX_MULTI_AUTH_RUNTIME_ROTATION_PROXY, CODEX_TUI_COLOR_PROFILE, and others as documented
Implement account health checks with codex-multi-auth check command that validates saved account credentials and state
Implement quota forecasting and budget guards to prevent exhausting account quota within a session
Record local usage in a ledger at ~/.codex/multi-auth/usage/usage-ledger.jsonl for per-project tracking and reporting
Implement bounded outbound request budget so one prompt cannot walk the full account pool indefinitely
Trigger short cooldown instead of continuing aggressive rotation when repeated cross-account 5xx bursts are detected
Stagger proactive token refresh to reduce background refresh bursts across the account pool
Expose recent runtime request metrics in codex-multi-auth status text output and machine-readable metrics in codex-multi-auth report --json
Make OAuth callback listen on port 1455 for login flows
Support device authorization flow via codex-multi-auth login --device-auth as an alternate to browser-based OAuth for headless environments
Implement dashboard hotkeys including Up/Down for navigation, Enter for selection, 1-9 for quick switch, / for search, ? for help, Q to back, S to set account, R to refresh, E to enable/disable, and D to delete
Support named local pool backup export with filename prompt in the Settings > Experimental menu
Implement codex-multi-auth doctor --fix command to diagnose and apply the safest fixes for storage or account state issues
Implement codex-multi-auth fix --dry-run ...

Files:

• test/schemas.test.ts
• test/codex-manager-cli.test.ts
• test/runtime-rotation-proxy.test.ts
• lib/schemas.ts
• lib/config.ts
• test/plugin-config.test.ts
• lib/runtime-rotation-proxy.ts

test/**

⚙️ CodeRabbit configuration file

tests must stay deterministic and use vitest. demand regression cases that reproduce concurrency bugs, token refresh races, and windows filesystem behavior. reject changes that mock real secrets or skip assertions.

Files:

• test/schemas.test.ts
• test/codex-manager-cli.test.ts
• test/runtime-rotation-proxy.test.ts
• test/plugin-config.test.ts

test/**/codex-manager-cli.test.ts

📄 CodeRabbit inference engine (test/AGENTS.md)

Test CLI settings with question cancellation across all 5 panels and EBUSY/concurrent race conditions

Files:

• test/codex-manager-cli.test.ts

lib/**/*.ts

📄 CodeRabbit inference engine (lib/AGENTS.md)

lib/**/*.ts: All public exports should flow through lib/index.ts or documented package subpaths
Never import from dist/ in source tests or library code
Never suppress type errors

Files:

• lib/schemas.ts
• lib/config.ts
• lib/runtime-rotation-proxy.ts

lib/**

⚙️ CodeRabbit configuration file

focus on auth rotation, windows filesystem IO, and concurrency. verify every change cites affected tests (vitest) and that new queues handle EBUSY/429 scenarios. check for logging that leaks tokens or emails.

Files:

• lib/schemas.ts
• lib/config.ts
• lib/runtime-rotation-proxy.ts

**/lib/runtime-rotation-proxy.ts

📄 CodeRabbit inference engine (AGENTS.md)

**/lib/runtime-rotation-proxy.ts: Keep runtime rotation default-on behavior aligned with explicit release and migration documentation
Do not expose account emails or tokens in runtime proxy client response headers or logs

Files:

• lib/runtime-rotation-proxy.ts

lib/runtime-rotation-proxy.ts

📄 CodeRabbit inference engine (lib/AGENTS.md)

lib/runtime-rotation-proxy.ts: Runtime rotation code must preserve pass-through semantics except for auth/provider headers that intentionally change
Runtime proxy client-facing headers must not expose account emails or tokens
Runtime rotation should fail open to normal official Codex forwarding when startup helpers are unavailable
Never add account emails/tokens to runtime proxy client responses

Files:

• lib/runtime-rotation-proxy.ts

🔇 Additional comments (9)

lib/schemas.ts (1)

73-73: LGTM!

lib/config.ts (3)

201-201: LGTM!

---

1406-1424: LGTM!

---

1846-1850: LGTM!

test/schemas.test.ts (2)

101-101: LGTM!

---

136-136: LGTM!

test/codex-manager-cli.test.ts (1)

1178-1178: LGTM!

test/plugin-config.test.ts (1)

163-163: LGTM!

Also applies to: 235-235, 551-551, 624-624, 691-691

lib/runtime-rotation-proxy.ts (1)

1666-1688: LGTM!

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

test/runtime-rotation-proxy.test.ts (1)

1843-1867: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

assert the upstream 401 body is forwarded unchanged.

these tests prove status and rotation, but not the passthrough contract in lib/runtime-rotation-proxy.ts:1682-1683. add expect(await response.text()).toBe(invalidationBody) in test/runtime-rotation-proxy.test.ts:1843-1867 and the equivalent html-body assertion in test/runtime-rotation-proxy.test.ts:1918-1936, otherwise a future change could still rewrite the body while keeping these tests green.

as per coding guidelines, "lib/runtime-rotation-proxy.ts: runtime rotation code must preserve pass-through semantics except for auth/provider headers that intentionally change".

Also applies to: 1918-1936

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/runtime-rotation-proxy.test.ts` around lines 1843 - 1867, Add assertions
that the upstream 401 response body is forwarded unchanged: in the test case
using invalidationBody (the block calling postResponses and asserting
HTTP_STATUS.UNAUTHORIZED, calls length, headers, cooldowns and
proxy.getStatus().rotations) add expect(await
response.text()).toBe(invalidationBody) to verify passthrough semantics for
JSON; likewise add an equivalent expect(await
response.text()).toBe(htmlInvalidationBody) in the other test block (the
HTML-response case) so both tests assert the exact body is returned unchanged by
the runtime rotation proxy code paths that modify only auth/provider headers.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@test/runtime-rotation-proxy.test.ts`:
- Around line 1843-1867: Add assertions that the upstream 401 response body is
forwarded unchanged: in the test case using invalidationBody (the block calling
postResponses and asserting HTTP_STATUS.UNAUTHORIZED, calls length, headers,
cooldowns and proxy.getStatus().rotations) add expect(await
response.text()).toBe(invalidationBody) to verify passthrough semantics for
JSON; likewise add an equivalent expect(await
response.text()).toBe(htmlInvalidationBody) in the other test block (the
HTML-response case) so both tests assert the exact body is returned unchanged by
the runtime rotation proxy code paths that modify only auth/provider headers.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8cf9ff80-2230-449e-bed1-533f43a0d6b9

📥 Commits

Reviewing files that changed from the base of the PR and between 9bf35e1 and b354205.

📒 Files selected for processing (2)

• lib/runtime-rotation-proxy.ts
• test/runtime-rotation-proxy.test.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Greptile Review

🧰 Additional context used

📓 Path-based instructions (10)

**/*.{ts,tsx,js,mjs}

📄 CodeRabbit inference engine (AGENTS.md)

Use ESM only ("type": "module"), Node >= 18

Files:

• lib/runtime-rotation-proxy.ts
• test/runtime-rotation-proxy.test.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Do not use as any, @ts-ignore, or @ts-expect-error TypeScript assertions

Files:

• lib/runtime-rotation-proxy.ts
• test/runtime-rotation-proxy.test.ts

**/lib/runtime-rotation-proxy.ts

📄 CodeRabbit inference engine (AGENTS.md)

**/lib/runtime-rotation-proxy.ts: Keep runtime rotation default-on behavior aligned with explicit release and migration documentation
Do not expose account emails or tokens in runtime proxy client response headers or logs

Files:

• lib/runtime-rotation-proxy.ts

lib/**/*.ts

📄 CodeRabbit inference engine (lib/AGENTS.md)

lib/**/*.ts: All public exports should flow through lib/index.ts or documented package subpaths
Never import from dist/ in source tests or library code
Never suppress type errors

Files:

• lib/runtime-rotation-proxy.ts

lib/runtime-rotation-proxy.ts

📄 CodeRabbit inference engine (lib/AGENTS.md)

lib/runtime-rotation-proxy.ts: Runtime rotation code must preserve pass-through semantics except for auth/provider headers that intentionally change
Runtime proxy client-facing headers must not expose account emails or tokens
Runtime rotation should fail open to normal official Codex forwarding when startup helpers are unavailable
Never add account emails/tokens to runtime proxy client responses

Files:

• lib/runtime-rotation-proxy.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (README.md)

**/*.{ts,tsx,js,jsx}: Implement default-on runtime Responses rotation for request-bearing forwarded Codex CLI/app sessions, with opt-out support via CODEX_MULTI_AUTH_RUNTIME_ROTATION_PROXY=0
Store project-scoped accounts under ~/.codex/multi-auth/projects/<project-key>/openai-codex-accounts.json for repo-specific workflows
Support environment variable overrides for configuration including CODEX_MULTI_AUTH_DIR, CODEX_MODE, CODEX_MULTI_AUTH_RUNTIME_ROTATION_PROXY, CODEX_TUI_COLOR_PROFILE, and others as documented
Implement account health checks with codex-multi-auth check command that validates saved account credentials and state
Implement quota forecasting and budget guards to prevent exhausting account quota within a session
Record local usage in a ledger at ~/.codex/multi-auth/usage/usage-ledger.jsonl for per-project tracking and reporting
Implement bounded outbound request budget so one prompt cannot walk the full account pool indefinitely
Trigger short cooldown instead of continuing aggressive rotation when repeated cross-account 5xx bursts are detected
Stagger proactive token refresh to reduce background refresh bursts across the account pool
Expose recent runtime request metrics in codex-multi-auth status text output and machine-readable metrics in codex-multi-auth report --json
Make OAuth callback listen on port 1455 for login flows
Support device authorization flow via codex-multi-auth login --device-auth as an alternate to browser-based OAuth for headless environments
Implement dashboard hotkeys including Up/Down for navigation, Enter for selection, 1-9 for quick switch, / for search, ? for help, Q to back, S to set account, R to refresh, E to enable/disable, and D to delete
Support named local pool backup export with filename prompt in the Settings > Experimental menu
Implement codex-multi-auth doctor --fix command to diagnose and apply the safest fixes for storage or account state issues
Implement codex-multi-auth fix --dry-run ...

Files:

• lib/runtime-rotation-proxy.ts
• test/runtime-rotation-proxy.test.ts

lib/**

⚙️ CodeRabbit configuration file

focus on auth rotation, windows filesystem IO, and concurrency. verify every change cites affected tests (vitest) and that new queues handle EBUSY/429 scenarios. check for logging that leaks tokens or emails.

Files:

• lib/runtime-rotation-proxy.ts

{**/scripts/**/*.js,**/test/**/*.ts}

📄 CodeRabbit inference engine (AGENTS.md)

Do not use bare recursive delete logic in Windows-sensitive scripts/tests without retry handling for transient EBUSY/EPERM/ENOTEMPTY errors

Files:

• test/runtime-rotation-proxy.test.ts

test/**/*.test.ts

📄 CodeRabbit inference engine (test/AGENTS.md)

test/**/*.test.ts: Vitest globals (describe, it, expect) are enabled and should be used without explicit imports
Maintain 80% coverage threshold across statements, branches, functions, and lines
Use removeWithRetry for Windows filesystem cleanup instead of bare fs.rm to handle EBUSY/EPERM/ENOTEMPTY backoff
Use source files in tests, not compiled dist/ files; test the source directly
Do not skip tests without justification; include rationale if a test must be skipped
Relax ESLint rules for test files as specified in eslint.config.js

Files:

• test/runtime-rotation-proxy.test.ts

test/**

⚙️ CodeRabbit configuration file

tests must stay deterministic and use vitest. demand regression cases that reproduce concurrency bugs, token refresh races, and windows filesystem behavior. reject changes that mock real secrets or skip assertions.

Files:

• test/runtime-rotation-proxy.test.ts

🔇 Additional comments (1)

test/runtime-rotation-proxy.test.ts (1)

1843-1867: still missing the invalidation affinity-clearing regression.

lib/runtime-rotation-proxy.ts:1680 forgets the session key on token invalidation, but test/runtime-rotation-proxy.test.ts:1843-1867 never seeds a session id or proves the next request is no longer pinned to the cooled account. this auth-rotation path still needs the regression coverage called out earlier.

as per coding guidelines, "test/**: tests must stay deterministic and use vitest. demand regression cases that reproduce concurrency bugs, token refresh races, and windows filesystem behavior."

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

lib/runtime-rotation-proxy.ts (1)

1685-1712: ⚠️ Potential issue | 🟠 Major

prevent cooldown shortening on concurrent 401s

• in lib/runtime-rotation-proxy.ts:1691-1712, the token-invalidation 401 path marks a long cooldown and returns, but another 401 path can mark the same account with the shorter "auth-failure" cooldown (DEFAULT_AUTH_FAILURE_COOLDOWN_MS) for concurrent requests.
• in lib/accounts.ts:1078-1086, markAccountCoolingDown(...): void overwrites account.coolingDownUntil = nowMs() + ms unconditionally (no max-deadline/min-clamp), so a later shorter call can shrink the invalidation window under concurrency.
• add a vitest that fires concurrent 401s for the same account where one is isTokenInvalidationError(bodyText) and the other is the generic auth-failure branch, then assert coolingDownUntil never decreases (current tests like test/accounts.test.ts:1254-1258 and test/rotation-integration.test.ts:174-178 cover single cooldown state, not concurrent overwrites).
• align the implementations so the sync markAccountCoolingDown(...): void in lib/accounts.ts:1078-1086 cannot regress the longer window—either funnel through the mutexed cooldown updater at lib/accounts.ts:1016-1021 or implement max-window semantics in the sync path.
• windows edge case: both branches persist via saveToDiskDebounced() in lib/runtime-rotation-proxy.ts:1691-1712; add coverage that debounced persistence ordering can’t write back a shorter cooldown value after races (esp. with windows filesystem/ebusy scenarios).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@lib/runtime-rotation-proxy.ts` around lines 1685 - 1712, The
token-invalidation 401 path can set a long cooldown but a concurrent generic 401
can later overwrite it with a shorter window because markAccountCoolingDown(...)
writes coolingDownUntil unconditionally; change markAccountCoolingDown in
lib/accounts.ts to never shorten an existing deadline (set
account.coolingDownUntil = max(account.coolingDownUntil || 0, nowMs() + ms)) or
delegate the sync path to the existing mutexed updater (the updater used around
the cooldown logic at the mutexed block), and keep saveToDiskDebounced() calls
as-is; add a Vitest that sends concurrent 401 responses (one where
isTokenInvalidationError(bodyText) is true and one generic auth-failure) against
the same account and asserts coolingDownUntil never decreases and that persisted
disk state also never ends up with the shorter value after debounced writes.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@lib/runtime-rotation-proxy.ts`:
- Around line 1685-1712: The token-invalidation 401 path can set a long cooldown
but a concurrent generic 401 can later overwrite it with a shorter window
because markAccountCoolingDown(...) writes coolingDownUntil unconditionally;
change markAccountCoolingDown in lib/accounts.ts to never shorten an existing
deadline (set account.coolingDownUntil = max(account.coolingDownUntil || 0,
nowMs() + ms)) or delegate the sync path to the existing mutexed updater (the
updater used around the cooldown logic at the mutexed block), and keep
saveToDiskDebounced() calls as-is; add a Vitest that sends concurrent 401
responses (one where isTokenInvalidationError(bodyText) is true and one generic
auth-failure) against the same account and asserts coolingDownUntil never
decreases and that persisted disk state also never ends up with the shorter
value after debounced writes.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a2601d97-9fab-443e-94c8-280a7a8ea31a

📥 Commits

Reviewing files that changed from the base of the PR and between b354205 and 5d0e9be.

📒 Files selected for processing (7)

• lib/config.ts
• lib/runtime-rotation-proxy.ts
• lib/schemas.ts
• test/codex-manager-cli.test.ts
• test/plugin-config.test.ts
• test/runtime-rotation-proxy.test.ts
• test/schemas.test.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Greptile Review

🧰 Additional context used

📓 Path-based instructions (11)

**/*.{ts,tsx,js,mjs}

📄 CodeRabbit inference engine (AGENTS.md)

Use ESM only ("type": "module"), Node >= 18

Files:

• lib/schemas.ts
• test/codex-manager-cli.test.ts
• test/schemas.test.ts
• test/plugin-config.test.ts
• lib/config.ts
• test/runtime-rotation-proxy.test.ts
• lib/runtime-rotation-proxy.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Do not use as any, @ts-ignore, or @ts-expect-error TypeScript assertions

Files:

• lib/schemas.ts
• test/codex-manager-cli.test.ts
• test/schemas.test.ts
• test/plugin-config.test.ts
• lib/config.ts
• test/runtime-rotation-proxy.test.ts
• lib/runtime-rotation-proxy.ts

lib/**/*.ts

📄 CodeRabbit inference engine (lib/AGENTS.md)

lib/**/*.ts: All public exports should flow through lib/index.ts or documented package subpaths
Never import from dist/ in source tests or library code
Never suppress type errors

Files:

• lib/schemas.ts
• lib/config.ts
• lib/runtime-rotation-proxy.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (README.md)

**/*.{ts,tsx,js,jsx}: Implement default-on runtime Responses rotation for request-bearing forwarded Codex CLI/app sessions, with opt-out support via CODEX_MULTI_AUTH_RUNTIME_ROTATION_PROXY=0
Store project-scoped accounts under ~/.codex/multi-auth/projects/<project-key>/openai-codex-accounts.json for repo-specific workflows
Support environment variable overrides for configuration including CODEX_MULTI_AUTH_DIR, CODEX_MODE, CODEX_MULTI_AUTH_RUNTIME_ROTATION_PROXY, CODEX_TUI_COLOR_PROFILE, and others as documented
Implement account health checks with codex-multi-auth check command that validates saved account credentials and state
Implement quota forecasting and budget guards to prevent exhausting account quota within a session
Record local usage in a ledger at ~/.codex/multi-auth/usage/usage-ledger.jsonl for per-project tracking and reporting
Implement bounded outbound request budget so one prompt cannot walk the full account pool indefinitely
Trigger short cooldown instead of continuing aggressive rotation when repeated cross-account 5xx bursts are detected
Stagger proactive token refresh to reduce background refresh bursts across the account pool
Expose recent runtime request metrics in codex-multi-auth status text output and machine-readable metrics in codex-multi-auth report --json
Make OAuth callback listen on port 1455 for login flows
Support device authorization flow via codex-multi-auth login --device-auth as an alternate to browser-based OAuth for headless environments
Implement dashboard hotkeys including Up/Down for navigation, Enter for selection, 1-9 for quick switch, / for search, ? for help, Q to back, S to set account, R to refresh, E to enable/disable, and D to delete
Support named local pool backup export with filename prompt in the Settings > Experimental menu
Implement codex-multi-auth doctor --fix command to diagnose and apply the safest fixes for storage or account state issues
Implement codex-multi-auth fix --dry-run ...

Files:

• lib/schemas.ts
• test/codex-manager-cli.test.ts
• test/schemas.test.ts
• test/plugin-config.test.ts
• lib/config.ts
• test/runtime-rotation-proxy.test.ts
• lib/runtime-rotation-proxy.ts

lib/**

⚙️ CodeRabbit configuration file

focus on auth rotation, windows filesystem IO, and concurrency. verify every change cites affected tests (vitest) and that new queues handle EBUSY/429 scenarios. check for logging that leaks tokens or emails.

Files:

• lib/schemas.ts
• lib/config.ts
• lib/runtime-rotation-proxy.ts

{**/scripts/**/*.js,**/test/**/*.ts}

📄 CodeRabbit inference engine (AGENTS.md)

Do not use bare recursive delete logic in Windows-sensitive scripts/tests without retry handling for transient EBUSY/EPERM/ENOTEMPTY errors

Files:

• test/codex-manager-cli.test.ts
• test/schemas.test.ts
• test/plugin-config.test.ts
• test/runtime-rotation-proxy.test.ts

test/**/*.test.ts

📄 CodeRabbit inference engine (test/AGENTS.md)

test/**/*.test.ts: Vitest globals (describe, it, expect) are enabled and should be used without explicit imports
Maintain 80% coverage threshold across statements, branches, functions, and lines
Use removeWithRetry for Windows filesystem cleanup instead of bare fs.rm to handle EBUSY/EPERM/ENOTEMPTY backoff
Use source files in tests, not compiled dist/ files; test the source directly
Do not skip tests without justification; include rationale if a test must be skipped
Relax ESLint rules for test files as specified in eslint.config.js

Files:

• test/codex-manager-cli.test.ts
• test/schemas.test.ts
• test/plugin-config.test.ts
• test/runtime-rotation-proxy.test.ts

test/**/codex-manager-cli.test.ts

📄 CodeRabbit inference engine (test/AGENTS.md)

Test CLI settings with question cancellation across all 5 panels and EBUSY/concurrent race conditions

Files:

• test/codex-manager-cli.test.ts

test/**

⚙️ CodeRabbit configuration file

tests must stay deterministic and use vitest. demand regression cases that reproduce concurrency bugs, token refresh races, and windows filesystem behavior. reject changes that mock real secrets or skip assertions.

Files:

• test/codex-manager-cli.test.ts
• test/schemas.test.ts
• test/plugin-config.test.ts
• test/runtime-rotation-proxy.test.ts

**/lib/runtime-rotation-proxy.ts

📄 CodeRabbit inference engine (AGENTS.md)

**/lib/runtime-rotation-proxy.ts: Keep runtime rotation default-on behavior aligned with explicit release and migration documentation
Do not expose account emails or tokens in runtime proxy client response headers or logs

Files:

• lib/runtime-rotation-proxy.ts

lib/runtime-rotation-proxy.ts

📄 CodeRabbit inference engine (lib/AGENTS.md)

lib/runtime-rotation-proxy.ts: Runtime rotation code must preserve pass-through semantics except for auth/provider headers that intentionally change
Runtime proxy client-facing headers must not expose account emails or tokens
Runtime rotation should fail open to normal official Codex forwarding when startup helpers are unavailable
Never add account emails/tokens to runtime proxy client responses

Files:

• lib/runtime-rotation-proxy.ts

🔇 Additional comments (3)

test/codex-manager-cli.test.ts (1)

1179-1179: LGTM!

test/plugin-config.test.ts (1)

164-164: LGTM!

Also applies to: 237-237, 554-554, 628-628, 696-696

test/schemas.test.ts (1)

102-103: LGTM!

Also applies to: 138-139

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

lib/runtime-rotation-proxy.ts (1)

902-903: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

merge sticky and policy boosts additively.

lib/runtime-rotation-proxy.ts:975-978 spreads stickyBoostByAccount over policy?.scoreBoostByAccount, so the sticky boost replaces any existing policy boost for the same account instead of biasing on top of it. that can erase routing-profile scoring in the exact path this change is trying to stabilize. please sum overlapping boosts before calling getCurrentOrNextForFamilyHybrid, and add a vitest that covers overlapping policy + sticky boosts in test/runtime-rotation-proxy.test.ts.

suggested fix

+	const mergedScoreBoostByAccount: Record<number, number> = {
+		...(policy?.scoreBoostByAccount ?? {}),
+	};
+	for (const [accountIndex, boost] of Object.entries(
+		stickyBoostByAccount ?? {},
+	)) {
+		const index = Number(accountIndex);
+		mergedScoreBoostByAccount[index] =
+			(mergedScoreBoostByAccount[index] ?? 0) + boost;
+	}
 	const selected = accountManager.getCurrentOrNextForFamilyHybrid(family, model, {
-		scoreBoostByAccount: {
-			...(policy?.scoreBoostByAccount ?? {}),
-			...(stickyBoostByAccount ?? {}),
-		},
+		scoreBoostByAccount: mergedScoreBoostByAccount,
 	});

as per coding guidelines lib/**: focus on auth rotation, windows filesystem io, and concurrency. verify every change cites affected tests (vitest) and that new queues handle EBUSY/429 scenarios.

Also applies to: 975-978

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@lib/runtime-rotation-proxy.ts` around lines 902 - 903, The sticky boost map
(stickyBoostByAccount) is currently spread over policy?.scoreBoostByAccount
which overwrites policy boosts instead of adding; update the logic that prepares
the combined boosts (before calling getCurrentOrNextForFamilyHybrid) to sum
values for matching account IDs (e.g., iterate keys and add
stickyBoostByAccount[id] to policy.scoreBoostByAccount[id] or vice versa) so
overlapping boosts are additive, and add a vitest in
test/runtime-rotation-proxy.test.ts that constructs a policy with
scoreBoostByAccount and a non-empty stickyBoostByAccount for the same account to
assert the resulting boost passed into getCurrentOrNextForFamilyHybrid is the
sum.

test/runtime-rotation-proxy.test.ts (3)

1843-1868: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

verify session affinity clearing when invalidation is detected.

past review requested verifying that forgetSession is called when token invalidation is detected (impl at lib/runtime-rotation-proxy.ts:1677). current test doesn't send a request with metadata.session_id, so session affinity clearing isn't verified.

add a second request with metadata: { session_id: "session-invalidated" } before the invalidation response, then verify that a subsequent request with the same session_id does not stick to the invalidated account.

🧪 add session affinity clearing verification

 	const proxy = await startProxy({ accountManager, fetchImpl });
+	
+	// establish session affinity to acc_1
+	const firstBody = { model: "gpt-5-codex", metadata: { session_id: "session-inv" } };
+	await (await postResponses(proxy, firstBody)).text();
+	expect(calls).toHaveLength(1);

-	const response = await postResponses(proxy, { model: "gpt-5-codex" });
+	// trigger invalidation for acc_1
+	const response = await postResponses(proxy, firstBody);

 	expect(response.status).toBe(HTTP_STATUS.UNAUTHORIZED);
-	expect(calls).toHaveLength(1);
+	expect(calls).toHaveLength(2);
 	expect(calls[0]?.headers.get(OPENAI_HEADERS.ACCOUNT_ID)).toBe("acc_1");
+	expect(calls[1]?.headers.get(OPENAI_HEADERS.ACCOUNT_ID)).toBe("acc_1");
 	expect(accountManager.getAccountByIndex(0)?.cooldownReason).toBe("auth-failure");
 	const coolingDownUntil = accountManager.getAccountByIndex(0)?.coolingDownUntil ?? 0;
 	expect(coolingDownUntil).toBeGreaterThan(now + 250_000);
 	expect(coolingDownUntil).toBeLessThan(now + 350_000);
-	expect(proxy.getStatus().rotations).toBe(0);
+	
+	// verify session affinity was cleared: next request should pick acc_2
+	const thirdFetch = createRecordingFetch(() => textEventStream("data: recovered\n\n"));
+	// swap fetchImpl to allow success on acc_2
+	const proxyWithRecovery = await startProxy({ accountManager, fetchImpl: thirdFetch.fetchImpl });
+	const afterClear = await postResponses(proxyWithRecovery, firstBody);
+	expect(afterClear.status).toBe(HTTP_STATUS.OK);
+	expect(thirdFetch.calls[0]?.headers.get(OPENAI_HEADERS.ACCOUNT_ID)).toBe("acc_2");

as per coding guidelines test/**: "demand regression cases that reproduce concurrency bugs, token refresh races, and windows filesystem behavior."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/runtime-rotation-proxy.test.ts` around lines 1843 - 1868, The test must
exercise session-affinity clearing: send an initial request that includes
metadata.session_id = "session-invalidated" (using postResponses) so the proxy
binds that session to acc_1, then trigger the invalidation response as currently
done and assert that lib/runtime-rotation-proxy.ts's forgetSession behavior runs
(i.e., a subsequent postResponses call with metadata.session_id =
"session-invalidated" does NOT reuse the invalidated account id "acc_1" and
instead gets a different account or causes a new assignment); update assertions
around calls/cookies to confirm the second request’s OPENAI_HEADERS.ACCOUNT_ID
is not "acc_1" (or that accountManager no longer returns the session mapping),
and keep the existing checks for 401, cooldownReason, coolingDownUntil, and
rotations.

---

1945-1964: 🧹 Nitpick | 🔵 Trivial | ⚖️ Poor tradeoff

consider testing rotation after sticky window expires.

current test verifies that requests within the minRotationIntervalMs window stick to the last served account. it doesn't verify that rotation can occur after the window expires.

a complete test would use vi.useFakeTimers() to advance time past the 60s window and verify that a third request rotates to acc_2.

this is optional since the sticky-boost logic is straightforward, but it would provide more complete coverage of the window boundary behavior.

🧪 add sticky window expiry verification

it("rotates after minRotationIntervalMs window expires", async () => {
	vi.useFakeTimers();
	vi.stubEnv("CODEX_AUTH_MIN_ROTATION_INTERVAL_MS", "60000");
	try {
		const now = Date.now();
		const accountManager = new AccountManager(undefined, createStorage(now, 2));
		const { calls, fetchImpl } = createRecordingFetch(() =>
			textEventStream("data: ok\n\n"),
		);
		const proxy = await startProxy({ accountManager, fetchImpl });

		await (await postResponses(proxy, { model: "gpt-5-codex" })).text();
		vi.advanceTimersByTime(30_000); // within window
		await (await postResponses(proxy, { model: "gpt-5-codex" })).text();
		vi.advanceTimersByTime(40_000); // past window (30+40=70s)
		
		// force rotation by making acc_1 unavailable
		accountManager.getAccountByIndex(0)?.markAccountCoolingDown(10_000, "rate-limit");
		await (await postResponses(proxy, { model: "gpt-5-codex" })).text();

		expect(calls[0]?.headers.get(OPENAI_HEADERS.ACCOUNT_ID)).toBe("acc_1");
		expect(calls[1]?.headers.get(OPENAI_HEADERS.ACCOUNT_ID)).toBe("acc_1");
		expect(calls[2]?.headers.get(OPENAI_HEADERS.ACCOUNT_ID)).toBe("acc_2");
	} finally {
		vi.useRealTimers();
		vi.unstubAllEnvs();
	}
});

as per coding guidelines test/**: "demand regression cases that reproduce concurrency bugs, token refresh races, and windows filesystem behavior."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/runtime-rotation-proxy.test.ts` around lines 1945 - 1964, Add a
complementary test that verifies rotation after the minRotationIntervalMs sticky
window expires: use vi.useFakeTimers(),
vi.stubEnv("CODEX_AUTH_MIN_ROTATION_INTERVAL_MS","60000"), create
AccountManager(...) and proxy via startProxy with createRecordingFetch, then
send a first request, vi.advanceTimersByTime(30_000), send a second request
(still within window), vi.advanceTimersByTime(40_000) to move past the 60s
window, mark the first account cooling down via
accountManager.getAccountByIndex(0)?.markAccountCoolingDown(...), send a third
request via postResponses(...), and assert calls[0/1/2] headers use
OPENAI_HEADERS.ACCOUNT_ID equal to "acc_1","acc_1","acc_2" respectively; finally
restore timers and env with vi.useRealTimers() and vi.unstubAllEnvs().

---

1843-1984: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

missing concurrent invalidation race test flagged in past review.

past review comment (lines 1843-1897) requested: "simulate concurrent invalidation races by firing multiple postResponses(proxy, ...) in parallel against a fetchImpl that returns the invalidation response for the first N concurrent calls and ensure the account is cooled once and rotations/call counts match expected behavior."

this was marked "✅ addressed in commit b354205" but the test is not present. concurrent invalidation could expose race conditions in:

1. cooldown duration (could a generic-401 handler overwrite the 5-min invalidation cooldown with 30s?)
2. forgetSession being called multiple times
3. multiple token_invalidated events recorded

existing test at test/runtime-rotation-proxy.test.ts:1213-1265 covers concurrent deactivation (402) but not concurrent 401 invalidation.

🧪 add concurrent invalidation race test

it("handles concurrent invalidation errors on same account without race", async () => {
	const now = Date.now();
	const accountManager = new AccountManager(undefined, createStorage(now, 1));
	const recordFailureSpy = vi.spyOn(accountManager, "recordFailure");
	let invalidationCalls = 0;
	let releaseInvalidationCalls: (() => void) | null = null;
	const allInvalidationCallsArrived = new Promise<void>((resolve) => {
		releaseInvalidationCalls = resolve;
	});
	const invalidationBody = JSON.stringify({
		error: { message: "invalidated oauth token for user" },
	});
	const { calls, fetchImpl } = createRecordingFetch(async (call) => {
		if (call.headers.get(OPENAI_HEADERS.ACCOUNT_ID) === "acc_1") {
			invalidationCalls += 1;
			if (invalidationCalls === 2) releaseInvalidationCalls?.();
			await allInvalidationCallsArrived;
			return new Response(invalidationBody, {
				status: HTTP_STATUS.UNAUTHORIZED,
				headers: { "content-type": "application/json" },
			});
		}
		return textEventStream("data: unreachable\n\n");
	});
	const proxy = await startProxy({ accountManager, fetchImpl });

	const responses = await Promise.all([
		postResponses(proxy, { model: "gpt-5-codex" }),
		postResponses(proxy, { model: "gpt-5-codex" }),
	]);

	expect(responses.map((r) => r.status)).toEqual([
		HTTP_STATUS.UNAUTHORIZED,
		HTTP_STATUS.UNAUTHORIZED,
	]);
	expect(calls).toHaveLength(2);
	expect(calls.map((c) => c.headers.get(OPENAI_HEADERS.ACCOUNT_ID))).toEqual([
		"acc_1",
		"acc_1",
	]);
	// verify account is cooled once with long invalidation cooldown
	const account = accountManager.getAccountByIndex(0);
	expect(account?.cooldownReason).toBe("auth-failure");
	const coolingDownUntil = account?.coolingDownUntil ?? 0;
	expect(coolingDownUntil).toBeGreaterThan(now + 250_000); // ~5min
	expect(coolingDownUntil).toBeLessThan(now + 350_000);
	// verify recordFailure called once or twice (depending on dedup), not more
	expect(recordFailureSpy.mock.calls.length).toBeLessThanOrEqual(2);
	expect(proxy.getStatus().rotations).toBe(0);
});

as per coding guidelines test/**: "demand regression cases that reproduce concurrency bugs, token refresh races, and windows filesystem behavior."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/runtime-rotation-proxy.test.ts` around lines 1843 - 1984, Add a new test
that simulates concurrent 401 token-invalidation responses: instantiate
AccountManager(createStorage(now, 1)), spy on accountManager.recordFailure, use
createRecordingFetch to return the invalidation JSON response for multiple
simultaneous calls to postResponses(proxy, ...), block the fetchImpl until both
requests arrive (using a promise) so they race, then assert both responses are
401, the fetch calls used the same accountId header (OPENAI_HEADERS.ACCOUNT_ID
"acc_1"), the account's cooldownReason is "auth-failure" and coolingDownUntil is
~5min from now, recordFailure was not invoked an unbounded number of times
(<=2), and proxy.getStatus().rotations remains 0; use startProxy and
postResponses helpers and mirror the structure/expectations shown in the
provided suggested test.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@lib/runtime-rotation-proxy.ts`:
- Around line 737-748: Two concurrent auth-failure paths can race and shorten an
existing long "invalidated" cooldown; modify the logic around
accountManager.markAccountCoolingDown (calls from the refresh error path that
use isTokenInvalidationError, tokenInvalidationCooldownMs, and
DEFAULT_AUTH_FAILURE_COOLDOWN_MS at both locations) so cooldown updates are
monotonic: before calling markAccountCoolingDown either (A) update
markAccountCoolingDown to compare the requested cooldown expiry against the
current stored expiry and only extend it if the new expiry is later (or to
preserve an "invalidated" stronger state), or (B) read the account's current
cooldown/invalidated state and only call markAccountCoolingDown when the new
duration is strictly longer or when setting invalidation to true; apply this
change at both call sites (the refresh error path and the other 1740-1744 site)
and add a vitest regression in test/runtime-rotation-proxy.test.ts that
simulates two in-flight failures racing to ensure the longer
tokenInvalidationCooldownMs wins and shorter cooldowns do not overwrite it.

In `@test/runtime-rotation-proxy.test.ts`:
- Around line 1918-1943: Add an assertion that a previously-bound session_id
loses affinity after a refresh invalidation: before triggering the refresh, bind
a session (use AccountManager and whatever creates/records affinity in the test
harness, e.g., call postResponses with a session_id or use the same helper that
binds sessions to accounts) to confirm it maps to account 0, then run the
refresh-invalidation scenario (the existing refreshAccessToken mock and
postResponses call) and assert that the session affinity table no longer routes
that session to the invalidated account (i.e., subsequent requests with the same
session_id should be routed to a healthy account or cause a rebalance);
reference the refreshAccessToken mock, AccountManager.getAccountByIndex /
AccountManager methods that inspect coolingDownUntil, postResponses, and
startProxy to locate where to add the binding and the post-invalidation
verification.

---

Outside diff comments:
In `@lib/runtime-rotation-proxy.ts`:
- Around line 902-903: The sticky boost map (stickyBoostByAccount) is currently
spread over policy?.scoreBoostByAccount which overwrites policy boosts instead
of adding; update the logic that prepares the combined boosts (before calling
getCurrentOrNextForFamilyHybrid) to sum values for matching account IDs (e.g.,
iterate keys and add stickyBoostByAccount[id] to policy.scoreBoostByAccount[id]
or vice versa) so overlapping boosts are additive, and add a vitest in
test/runtime-rotation-proxy.test.ts that constructs a policy with
scoreBoostByAccount and a non-empty stickyBoostByAccount for the same account to
assert the resulting boost passed into getCurrentOrNextForFamilyHybrid is the
sum.

In `@test/runtime-rotation-proxy.test.ts`:
- Around line 1843-1868: The test must exercise session-affinity clearing: send
an initial request that includes metadata.session_id = "session-invalidated"
(using postResponses) so the proxy binds that session to acc_1, then trigger the
invalidation response as currently done and assert that
lib/runtime-rotation-proxy.ts's forgetSession behavior runs (i.e., a subsequent
postResponses call with metadata.session_id = "session-invalidated" does NOT
reuse the invalidated account id "acc_1" and instead gets a different account or
causes a new assignment); update assertions around calls/cookies to confirm the
second request’s OPENAI_HEADERS.ACCOUNT_ID is not "acc_1" (or that
accountManager no longer returns the session mapping), and keep the existing
checks for 401, cooldownReason, coolingDownUntil, and rotations.
- Around line 1945-1964: Add a complementary test that verifies rotation after
the minRotationIntervalMs sticky window expires: use vi.useFakeTimers(),
vi.stubEnv("CODEX_AUTH_MIN_ROTATION_INTERVAL_MS","60000"), create
AccountManager(...) and proxy via startProxy with createRecordingFetch, then
send a first request, vi.advanceTimersByTime(30_000), send a second request
(still within window), vi.advanceTimersByTime(40_000) to move past the 60s
window, mark the first account cooling down via
accountManager.getAccountByIndex(0)?.markAccountCoolingDown(...), send a third
request via postResponses(...), and assert calls[0/1/2] headers use
OPENAI_HEADERS.ACCOUNT_ID equal to "acc_1","acc_1","acc_2" respectively; finally
restore timers and env with vi.useRealTimers() and vi.unstubAllEnvs().
- Around line 1843-1984: Add a new test that simulates concurrent 401
token-invalidation responses: instantiate AccountManager(createStorage(now, 1)),
spy on accountManager.recordFailure, use createRecordingFetch to return the
invalidation JSON response for multiple simultaneous calls to
postResponses(proxy, ...), block the fetchImpl until both requests arrive (using
a promise) so they race, then assert both responses are 401, the fetch calls
used the same accountId header (OPENAI_HEADERS.ACCOUNT_ID "acc_1"), the
account's cooldownReason is "auth-failure" and coolingDownUntil is ~5min from
now, recordFailure was not invoked an unbounded number of times (<=2), and
proxy.getStatus().rotations remains 0; use startProxy and postResponses helpers
and mirror the structure/expectations shown in the provided suggested test.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 43e52085-87f3-48eb-ba5e-c38150d9c964

📥 Commits

Reviewing files that changed from the base of the PR and between 5d0e9be and b4209bb.

📒 Files selected for processing (2)

• lib/runtime-rotation-proxy.ts
• test/runtime-rotation-proxy.test.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Greptile Review

🧰 Additional context used

📓 Path-based instructions (10)

**/*.{ts,tsx,js,mjs}

📄 CodeRabbit inference engine (AGENTS.md)

Use ESM only ("type": "module"), Node >= 18

Files:

• test/runtime-rotation-proxy.test.ts
• lib/runtime-rotation-proxy.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Do not use as any, @ts-ignore, or @ts-expect-error TypeScript assertions

Files:

• test/runtime-rotation-proxy.test.ts
• lib/runtime-rotation-proxy.ts

{**/scripts/**/*.js,**/test/**/*.ts}

📄 CodeRabbit inference engine (AGENTS.md)

Do not use bare recursive delete logic in Windows-sensitive scripts/tests without retry handling for transient EBUSY/EPERM/ENOTEMPTY errors

Files:

• test/runtime-rotation-proxy.test.ts

test/**/*.test.ts

📄 CodeRabbit inference engine (test/AGENTS.md)

test/**/*.test.ts: Vitest globals (describe, it, expect) are enabled and should be used without explicit imports
Maintain 80% coverage threshold across statements, branches, functions, and lines
Use removeWithRetry for Windows filesystem cleanup instead of bare fs.rm to handle EBUSY/EPERM/ENOTEMPTY backoff
Use source files in tests, not compiled dist/ files; test the source directly
Do not skip tests without justification; include rationale if a test must be skipped
Relax ESLint rules for test files as specified in eslint.config.js

Files:

• test/runtime-rotation-proxy.test.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (README.md)

**/*.{ts,tsx,js,jsx}: Implement default-on runtime Responses rotation for request-bearing forwarded Codex CLI/app sessions, with opt-out support via CODEX_MULTI_AUTH_RUNTIME_ROTATION_PROXY=0
Store project-scoped accounts under ~/.codex/multi-auth/projects/<project-key>/openai-codex-accounts.json for repo-specific workflows
Support environment variable overrides for configuration including CODEX_MULTI_AUTH_DIR, CODEX_MODE, CODEX_MULTI_AUTH_RUNTIME_ROTATION_PROXY, CODEX_TUI_COLOR_PROFILE, and others as documented
Implement account health checks with codex-multi-auth check command that validates saved account credentials and state
Implement quota forecasting and budget guards to prevent exhausting account quota within a session
Record local usage in a ledger at ~/.codex/multi-auth/usage/usage-ledger.jsonl for per-project tracking and reporting
Implement bounded outbound request budget so one prompt cannot walk the full account pool indefinitely
Trigger short cooldown instead of continuing aggressive rotation when repeated cross-account 5xx bursts are detected
Stagger proactive token refresh to reduce background refresh bursts across the account pool
Expose recent runtime request metrics in codex-multi-auth status text output and machine-readable metrics in codex-multi-auth report --json
Make OAuth callback listen on port 1455 for login flows
Support device authorization flow via codex-multi-auth login --device-auth as an alternate to browser-based OAuth for headless environments
Implement dashboard hotkeys including Up/Down for navigation, Enter for selection, 1-9 for quick switch, / for search, ? for help, Q to back, S to set account, R to refresh, E to enable/disable, and D to delete
Support named local pool backup export with filename prompt in the Settings > Experimental menu
Implement codex-multi-auth doctor --fix command to diagnose and apply the safest fixes for storage or account state issues
Implement codex-multi-auth fix --dry-run ...

Files:

• test/runtime-rotation-proxy.test.ts
• lib/runtime-rotation-proxy.ts

test/**

⚙️ CodeRabbit configuration file

tests must stay deterministic and use vitest. demand regression cases that reproduce concurrency bugs, token refresh races, and windows filesystem behavior. reject changes that mock real secrets or skip assertions.

Files:

• test/runtime-rotation-proxy.test.ts

**/lib/runtime-rotation-proxy.ts

📄 CodeRabbit inference engine (AGENTS.md)

**/lib/runtime-rotation-proxy.ts: Keep runtime rotation default-on behavior aligned with explicit release and migration documentation
Do not expose account emails or tokens in runtime proxy client response headers or logs

Files:

• lib/runtime-rotation-proxy.ts

lib/**/*.ts

📄 CodeRabbit inference engine (lib/AGENTS.md)

lib/**/*.ts: All public exports should flow through lib/index.ts or documented package subpaths
Never import from dist/ in source tests or library code
Never suppress type errors

Files:

• lib/runtime-rotation-proxy.ts

lib/runtime-rotation-proxy.ts

📄 CodeRabbit inference engine (lib/AGENTS.md)

lib/runtime-rotation-proxy.ts: Runtime rotation code must preserve pass-through semantics except for auth/provider headers that intentionally change
Runtime proxy client-facing headers must not expose account emails or tokens
Runtime rotation should fail open to normal official Codex forwarding when startup helpers are unavailable
Never add account emails/tokens to runtime proxy client responses

Files:

• lib/runtime-rotation-proxy.ts

lib/**

⚙️ CodeRabbit configuration file

focus on auth rotation, windows filesystem IO, and concurrency. verify every change cites affected tests (vitest) and that new queues handle EBUSY/429 scenarios. check for logging that leaks tokens or emails.

Files:

• lib/runtime-rotation-proxy.ts

🔇 Additional comments (1)

lib/runtime-rotation-proxy.ts (1)

1821-1824: still unresolved: make the sticky window sliding.

lib/runtime-rotation-proxy.ts:1821-1824 still only refreshes lastGlobalSwitchAt when the account index changes. if the same account serves again inside the window, the next request can rotate as soon as the original timestamp expires even though that account just served successfully. the mocked-clock regression in test/runtime-rotation-proxy.test.ts is still needed here.

as per coding guidelines lib/**: focus on auth rotation, windows filesystem io, and concurrency. verify every change cites affected tests (vitest) and that new queues handle EBUSY/429 scenarios.

[ndycode]

All 4 CR actionable comments addressed across commits b354205 and b4209bb:

• Phrase provenance comment added above TOKEN_INVALIDATION_PHRASES
• cooldown duration assertions in both invalidation and generic-401 tests
• Edge case tests: empty body, HTML body, refresh-phase invalidation
• All tests pass (53/53 proxy, 4049+ full suite), TypeScript clean

@coderabbitai review

[ndycode]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@lib/runtime-rotation-proxy.ts`:
- Around line 659-672: Two direct calls to markAccountCoolingDown in
lib/runtime-rotation-proxy.ts (the refresh-commit failure and missing-account-id
branches around the previous calls at lines near 785-789 and 1547-1551) must be
routed through applyMonotonicAuthCooldown(accountManager, account, cooldownMs)
so the monotonic "only extend" semantics are preserved; replace those
markAccountCoolingDown(...) invocations with calls to applyMonotonicAuthCooldown
using the same accountManager, account, and cooldownMs values. Add a vitest
regression that races each of those branches against the invalidation paths
already covered by test/runtime-rotation-proxy.test.ts (the blocks at ~1918-1991
and ~1444-1565), reproducing the concurrent sequence to assert the cooldown
remains the longer value; follow existing test patterns and ensure the new tests
account for filesystem/concurrency error handling (EBUSY/429) as per lib/**
guidelines.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 84923871-1a4d-40d9-a4a3-964b1a73ed6b

📥 Commits

Reviewing files that changed from the base of the PR and between b4209bb and d3115ac.

📒 Files selected for processing (2)

• lib/runtime-rotation-proxy.ts
• test/runtime-rotation-proxy.test.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Greptile Review

🧰 Additional context used

📓 Path-based instructions (10)

**/*.{ts,tsx,js,mjs}

📄 CodeRabbit inference engine (AGENTS.md)

Use ESM only ("type": "module"), Node >= 18

Files:

• test/runtime-rotation-proxy.test.ts
• lib/runtime-rotation-proxy.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Do not use as any, @ts-ignore, or @ts-expect-error TypeScript assertions

Files:

• test/runtime-rotation-proxy.test.ts
• lib/runtime-rotation-proxy.ts

{**/scripts/**/*.js,**/test/**/*.ts}

📄 CodeRabbit inference engine (AGENTS.md)

Do not use bare recursive delete logic in Windows-sensitive scripts/tests without retry handling for transient EBUSY/EPERM/ENOTEMPTY errors

Files:

• test/runtime-rotation-proxy.test.ts

test/**/*.test.ts

📄 CodeRabbit inference engine (test/AGENTS.md)

test/**/*.test.ts: Vitest globals (describe, it, expect) are enabled and should be used without explicit imports
Maintain 80% coverage threshold across statements, branches, functions, and lines
Use removeWithRetry for Windows filesystem cleanup instead of bare fs.rm to handle EBUSY/EPERM/ENOTEMPTY backoff
Use source files in tests, not compiled dist/ files; test the source directly
Do not skip tests without justification; include rationale if a test must be skipped
Relax ESLint rules for test files as specified in eslint.config.js

Files:

• test/runtime-rotation-proxy.test.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (README.md)

**/*.{ts,tsx,js,jsx}: Implement default-on runtime Responses rotation for request-bearing forwarded Codex CLI/app sessions, with opt-out support via CODEX_MULTI_AUTH_RUNTIME_ROTATION_PROXY=0
Store project-scoped accounts under ~/.codex/multi-auth/projects/<project-key>/openai-codex-accounts.json for repo-specific workflows
Support environment variable overrides for configuration including CODEX_MULTI_AUTH_DIR, CODEX_MODE, CODEX_MULTI_AUTH_RUNTIME_ROTATION_PROXY, CODEX_TUI_COLOR_PROFILE, and others as documented
Implement account health checks with codex-multi-auth check command that validates saved account credentials and state
Implement quota forecasting and budget guards to prevent exhausting account quota within a session
Record local usage in a ledger at ~/.codex/multi-auth/usage/usage-ledger.jsonl for per-project tracking and reporting
Implement bounded outbound request budget so one prompt cannot walk the full account pool indefinitely
Trigger short cooldown instead of continuing aggressive rotation when repeated cross-account 5xx bursts are detected
Stagger proactive token refresh to reduce background refresh bursts across the account pool
Expose recent runtime request metrics in codex-multi-auth status text output and machine-readable metrics in codex-multi-auth report --json
Make OAuth callback listen on port 1455 for login flows
Support device authorization flow via codex-multi-auth login --device-auth as an alternate to browser-based OAuth for headless environments
Implement dashboard hotkeys including Up/Down for navigation, Enter for selection, 1-9 for quick switch, / for search, ? for help, Q to back, S to set account, R to refresh, E to enable/disable, and D to delete
Support named local pool backup export with filename prompt in the Settings > Experimental menu
Implement codex-multi-auth doctor --fix command to diagnose and apply the safest fixes for storage or account state issues
Implement codex-multi-auth fix --dry-run ...

Files:

• test/runtime-rotation-proxy.test.ts
• lib/runtime-rotation-proxy.ts

test/**

⚙️ CodeRabbit configuration file

tests must stay deterministic and use vitest. demand regression cases that reproduce concurrency bugs, token refresh races, and windows filesystem behavior. reject changes that mock real secrets or skip assertions.

Files:

• test/runtime-rotation-proxy.test.ts

**/lib/runtime-rotation-proxy.ts

📄 CodeRabbit inference engine (AGENTS.md)

**/lib/runtime-rotation-proxy.ts: Keep runtime rotation default-on behavior aligned with explicit release and migration documentation
Do not expose account emails or tokens in runtime proxy client response headers or logs

Files:

• lib/runtime-rotation-proxy.ts

lib/**/*.ts

📄 CodeRabbit inference engine (lib/AGENTS.md)

lib/**/*.ts: All public exports should flow through lib/index.ts or documented package subpaths
Never import from dist/ in source tests or library code
Never suppress type errors

Files:

• lib/runtime-rotation-proxy.ts

lib/runtime-rotation-proxy.ts

📄 CodeRabbit inference engine (lib/AGENTS.md)

lib/runtime-rotation-proxy.ts: Runtime rotation code must preserve pass-through semantics except for auth/provider headers that intentionally change
Runtime proxy client-facing headers must not expose account emails or tokens
Runtime rotation should fail open to normal official Codex forwarding when startup helpers are unavailable
Never add account emails/tokens to runtime proxy client responses

Files:

• lib/runtime-rotation-proxy.ts

lib/**

⚙️ CodeRabbit configuration file

focus on auth rotation, windows filesystem IO, and concurrency. verify every change cites affected tests (vitest) and that new queues handle EBUSY/429 scenarios. check for logging that leaks tokens or emails.

Files:

• lib/runtime-rotation-proxy.ts

🔇 Additional comments (1)

test/runtime-rotation-proxy.test.ts (1)

1934-1952: LGTM!

Also applies to: 1955-1991