Merge branch 'pr-463' into merge/pr-462-463

Author: ndycode

lib/auto-update-checker.ts

@@ -537,8 +537,13 @@ function taskkillProcessTree(pid: number): Promise<boolean> {
 		timeout.unref?.();
 		try {
 			const killer = spawn(
-				"taskkill",
-				["/PID", String(pid), "/T", "/F"],
+				"cmd.exe",
+				[
+					"/d",
+					"/s",
+					"/c",
+					`taskkill /PID ${pid} /T /F`,
+				],
 				{
 					stdio: "ignore",
 					windowsHide: true,

lib/request/fetch-helpers.ts

@@ -328,12 +328,28 @@ export function isWorkspaceDisabledError(
         code: unknown,
         bodyText: string,
 ): boolean {
+        const normalizedCode = typeof code === "string" ? code.trim().toLowerCase() : "";
+
+        if (status === 402) {
+                const normalizedTokens = normalizedCode
+                        .split(/[^a-z0-9_]+/i)
+                        .map((token) => token.trim())
+                        .filter((token) => token.length > 0);
+                return (
+                        normalizedTokens.includes("deactivated_workspace") ||
+                        /\bdeactivated_workspace\b/i.test(bodyText)
+                );
+        }
+
         if (status !== 403) {
                 return false;
         }
 
-        const normalizedCode = typeof code === "string" ? code.trim().toLowerCase() : "";
         const haystack = `${normalizedCode} ${bodyText}`.toLowerCase();
+        const normalizedTokens = normalizedCode
+                .split(/[^a-z0-9_]+/i)
+                .map((token) => token.trim())
+                .filter((token) => token.length > 0);
 
 		const disabledPatterns = [
 				/workspace.*(?:disabled|expired|deactivated|terminated)/i,
@@ -362,11 +378,6 @@ export function isWorkspaceDisabledError(
                 return true;
         }
 
-        const normalizedTokens = normalizedCode
-                .split(/[^a-z0-9_]+/i)
-                .map((token) => token.trim())
-                .filter((token) => token.length > 0);
-
         return normalizedTokens.some((token) => workspaceErrorCodes.has(token));
 }
 

lib/runtime-rotation-proxy.ts

@@ -34,6 +34,7 @@ import {
 	loadRuntimePolicyState,
 	type RuntimePolicyDecision,
 } from "./policy/runtime-policy.js";
+import { isWorkspaceDisabledError } from "./request/fetch-helpers.js";
 import { SessionAffinityStore } from "./session-affinity.js";
 import type { OAuthAuthDetails, RequestBody, TokenResult } from "./types.js";
 import { isRecord } from "./utils.js";
@@ -91,6 +92,7 @@ type ExhaustionReason =
 	| "network-error"
 	| "auth-failure"
 	| "budget"
+	| "deactivated"
 	| "no-account";
 type RuntimeProxyHttpError = Error & {
 	statusCode: number;
@@ -637,6 +639,26 @@ async function readErrorBody(response: Response): Promise<string> {
 	}
 }
 
+function extractErrorCodeFromBody(bodyText: string): string | null {
+	if (!bodyText.trim()) return null;
+	try {
+		const parsed = JSON.parse(bodyText) as unknown;
+		if (!isRecord(parsed)) return null;
+		const directCode = parsed.code;
+		if (typeof directCode === "string" && directCode.trim()) {
+			return directCode.trim();
+		}
+		const maybeError = parsed.error;
+		if (!isRecord(maybeError)) return null;
+		const nestedCode = maybeError.code;
+		return typeof nestedCode === "string" && nestedCode.trim()
+			? nestedCode.trim()
+			: null;
+	} catch {
+		return null;
+	}
+}
+
 function getQuotaWindowWaitMs(headers: Headers, prefix: string, now: number): number {
 	const resetAfterSeconds = Number.parseInt(
 		headers.get(`${prefix}-reset-after-seconds`) ?? "",
@@ -1013,12 +1035,18 @@ export async function startRuntimeRotationProxy(
 			);
 			const attemptedIndexes = new Set<number>();
 			let exhaustionReason: ExhaustionReason = "no-account";
-			const accountAttemptLimit = Math.max(
+			const accountCount = accountManager.getAccountCount();
+			const transientAttemptLimit = Math.max(
 				1,
-				Math.min(accountManager.getAccountCount(), maxRuntimeAccountAttempts),
+				Math.min(accountCount, maxRuntimeAccountAttempts),
 			);
+			let transientAttempts = 0;
+			let transientExhaustionReason: ExhaustionReason | null = null;
 
-			while (attemptedIndexes.size < accountAttemptLimit) {
+			while (
+				attemptedIndexes.size < accountCount &&
+				transientAttempts < transientAttemptLimit
+			) {
 				const selected = chooseAccount({
 					accountManager,
 					sessionAffinityStore,
@@ -1049,6 +1077,8 @@ export async function startRuntimeRotationProxy(
 					accountManager.refundToken(selected, context.family, context.model);
 					exhaustionReason = "auth-failure";
 					if (!refreshed.retryable) continue;
+					transientAttempts += 1;
+					transientExhaustionReason = "auth-failure";
 					status.retries += 1;
 					status.rotations += 1;
 					continue;
@@ -1064,6 +1094,8 @@ export async function startRuntimeRotationProxy(
 						"auth-failure",
 					);
 					exhaustionReason = "auth-failure";
+					transientAttempts += 1;
+					transientExhaustionReason = "auth-failure";
 					status.retries += 1;
 					status.rotations += 1;
 					continue;
@@ -1108,6 +1140,8 @@ export async function startRuntimeRotationProxy(
 					);
 					accountManager.saveToDiskDebounced();
 					exhaustionReason = "network-error";
+					transientAttempts += 1;
+					transientExhaustionReason = "network-error";
 					status.retries += 1;
 					status.rotations += 1;
 					continue;
@@ -1131,11 +1165,52 @@ export async function startRuntimeRotationProxy(
 					);
 					accountManager.saveToDiskDebounced();
 					exhaustionReason = "rate-limit";
+					transientAttempts += 1;
+					transientExhaustionReason = "rate-limit";
 					status.retries += 1;
 					status.rotations += 1;
 					continue;
 				}
 
+				if (upstream.status === 402 || upstream.status === HTTP_STATUS.FORBIDDEN) {
+					const bodyText = await readErrorBody(upstream);
+					const errorCode = extractErrorCodeFromBody(bodyText);
+					if (isWorkspaceDisabledError(upstream.status, errorCode, bodyText)) {
+						const accountWasEnabled =
+							accountManager.getAccountByIndex(refreshed.account.index)?.enabled !==
+							false;
+						accountManager.refundToken(
+							refreshed.account,
+							context.family,
+							context.model,
+						);
+						if (accountWasEnabled) {
+							accountManager.recordFailure(
+								refreshed.account,
+								context.family,
+								context.model,
+							);
+							accountManager.setAccountEnabled(refreshed.account.index, false);
+							accountManager.saveToDiskDebounced();
+						}
+						sessionAffinityStore?.forgetSession(context.sessionKey);
+						exhaustionReason = "deactivated";
+						status.retries += 1;
+						status.rotations += 1;
+						continue;
+					}
+
+					res.writeHead(upstream.status, responseHeadersForClient(upstream.headers));
+					res.end(bodyText);
+					await usageRecorder.record({
+						outcome: "failure",
+						statusCode: upstream.status,
+						errorCode,
+						account: refreshed.account,
+					});
+					return;
+				}
+
 				if (upstream.status === HTTP_STATUS.UNAUTHORIZED) {
 					await readErrorBody(upstream);
 					accountManager.refundToken(refreshed.account, context.family, context.model);
@@ -1147,6 +1222,8 @@ export async function startRuntimeRotationProxy(
 					);
 					accountManager.saveToDiskDebounced();
 					exhaustionReason = "auth-failure";
+					transientAttempts += 1;
+					transientExhaustionReason = "auth-failure";
 					status.retries += 1;
 					status.rotations += 1;
 					continue;
@@ -1163,6 +1240,8 @@ export async function startRuntimeRotationProxy(
 					);
 					accountManager.saveToDiskDebounced();
 					exhaustionReason = "server-error";
+					transientAttempts += 1;
+					transientExhaustionReason = "server-error";
 					status.retries += 1;
 					status.rotations += 1;
 					continue;
@@ -1283,10 +1362,15 @@ export async function startRuntimeRotationProxy(
 			}
 
 			if (
-				attemptedIndexes.size >= accountAttemptLimit &&
-				accountAttemptLimit < accountManager.getAccountCount()
+				transientAttempts >= transientAttemptLimit &&
+				attemptedIndexes.size < accountCount
 			) {
 				exhaustionReason = "budget";
+			} else if (
+				exhaustionReason === "deactivated" &&
+				transientExhaustionReason
+			) {
+				exhaustionReason = transientExhaustionReason;
 			}
 
 			await usageRecorder?.record({

scripts/codex-multi-auth.js

@@ -21,6 +21,10 @@ function resolveCliVersion() {
 	return "";
 }
 
+/**
+ * @param {string[]} args
+ * @returns {string[]}
+ */
 function normalizeStandaloneArgs(args) {
 	if (args[0] === "auth") return args;
 	const firstArg = args[0] ?? "";

scripts/codex-routing.js

@@ -26,6 +26,10 @@ const AUTH_SUBCOMMANDS = new Set([
 	"debug",
 ]);
 
+/**
+ * @param {string[]} args
+ * @returns {string[]}
+ */
 export function normalizeAuthAlias(args) {
 	if (args.length >= 2 && args[0] === "multi" && args[1] === "auth") {
 		return ["auth", ...args.slice(2)];
@@ -36,6 +40,10 @@ export function normalizeAuthAlias(args) {
 	return args;
 }
 
+/**
+ * @param {string[]} args
+ * @returns {boolean}
+ */
 export function shouldHandleMultiAuthAuth(args) {
 	if (args[0] !== "auth") return false;
 	if (args.length === 1) return true;

scripts/test-model-matrix.js

@@ -148,6 +148,15 @@ function runQuiet(command, commandArgs) {
 	}
 }
 
+function runQuietWindowsTaskkill(pid) {
+	runQuiet("cmd.exe", [
+		"/d",
+		"/s",
+		"/c",
+		`taskkill /F /T /PID ${pid}`,
+	]);
+}
+
 export function registerSpawnedCodex(pid) {
 	if (!Number.isInteger(pid) || pid <= 0) return;
 	spawnedCodexPids.add(pid);
@@ -228,7 +237,7 @@ function stopCodexServersInternal() {
 	spawnedCodexPids.clear();
 	for (const pid of tracked) {
 		if (process.platform === "win32") {
-			runQuiet("taskkill", ["/F", "/T", "/PID", String(pid)]);
+			runQuietWindowsTaskkill(pid);
 			continue;
 		}
 		runQuiet("kill", ["-9", String(pid)]);

test/auto-update-checker.test.ts

@@ -889,8 +889,13 @@ describe("auto-update-checker", () => {
 			await flushUpdateStartup();
 			await vi.advanceTimersByTimeAsync(25);
 			expect(childProcess.spawn).toHaveBeenLastCalledWith(
-				"taskkill",
-				["/PID", "1234", "/T", "/F"],
+				"cmd.exe",
+				[
+					"/d",
+					"/s",
+					"/c",
+					"taskkill /PID 1234 /T /F",
+				],
 				expect.objectContaining({ stdio: "ignore", windowsHide: true }),
 			);
 			killer.emit("exit", 0, null);

test/fetch-helpers.test.ts

@@ -688,12 +688,21 @@ describe('isWorkspaceDisabledError', () => {
 		expect(isWorkspaceDisabledError(403, 'error.usage_not_included', '')).toBe(false);
 	});
 
-	it('returns false for non-403 status even with disabled message', () => {
+	it('returns true for 402 deactivated_workspace signals', () => {
+		expect(isWorkspaceDisabledError(402, 'deactivated_workspace', '')).toBe(true);
+		expect(isWorkspaceDisabledError(402, 'error.deactivated_workspace', '')).toBe(true);
+		expect(
+			isWorkspaceDisabledError(402, '', '{"error":{"code":"deactivated_workspace"}}'),
+		).toBe(true);
+	});
+
+	it('returns false for statuses without supported disabled signals', () => {
 		expect(isWorkspaceDisabledError(400, '', 'Your workspace has been disabled')).toBe(false);
 		expect(isWorkspaceDisabledError(401, '', 'Your workspace has been disabled')).toBe(false);
 		expect(isWorkspaceDisabledError(500, '', 'Your workspace has been disabled')).toBe(false);
 		expect(isWorkspaceDisabledError(400, 'workspace_disabled', '')).toBe(false);
 		expect(isWorkspaceDisabledError(402, 'payment_required', '')).toBe(false);
+		expect(isWorkspaceDisabledError(402, '', 'Your workspace has been disabled')).toBe(false);
 	});
 
 	it('returns false for 403 with unrelated messages', () => {

test/index-retry.test.ts

@@ -694,7 +694,6 @@ describe("OpenAIAuthPlugin rate-limit retry", () => {
 	});
 
 	it("keeps the total request cap when empty-response retries and server-error rotation combine", async () => {
-		vi.useFakeTimers();
 		const logger = await import("../lib/logger.js");
 		const logWarnSpy = vi.spyOn(logger, "logWarn").mockImplementation(() => {});
 
@@ -752,11 +751,7 @@ describe("OpenAIAuthPlugin rate-limit retry", () => {
 		});
 
 		const sdk = (await plugin.auth.loader(getAuth, { options: {}, models: {} })) as any;
-		const fetchPromise = sdk.fetch("https://example.com", {});
-
-		await vi.advanceTimersByTimeAsync(1500);
-
-		const response = await fetchPromise;
+		const response = await sdk.fetch("https://example.com", {});
 		const payload = await response.json();
 
 		expect(fetchMock).toHaveBeenCalledTimes(6);