Address remaining goal proxy review findings

Author: ndycode

lib/runtime-rotation-proxy.ts

@@ -341,6 +341,10 @@ function readStringSearchParam(searchParams: URLSearchParams, key: string): stri
 	return value && value.trim().length > 0 ? value.trim() : null;
 }
 
+function isThreadGoalFallbackStatus(status: number): boolean {
+	return status === HTTP_STATUS.FORBIDDEN;
+}
+
 function resolveSessionKey(headers: Headers, parsedBody: RequestBody | null): string | null {
 	const headerKey =
 		headers.get(OPENAI_HEADERS.SESSION_ID) ??
@@ -938,7 +942,7 @@ export async function startRuntimeRotationProxy(
 				operation: isModelsRequest
 					? "models"
 					: isThreadGoalRequest
-						? "diagnostic"
+						? "responses"
 						: "responses",
 				model: context.model,
 				projectKey,
@@ -1136,21 +1140,32 @@ export async function startRuntimeRotationProxy(
 					continue;
 				}
 
-				if (isThreadGoalRequest && upstream.status >= 400) {
+				if (isThreadGoalRequest && isThreadGoalFallbackStatus(upstream.status)) {
 					await readErrorBody(upstream);
 					const parsedGoalBody = parseRequestBody(context.body);
-					const fallbackKey = context.sessionKey ?? "default";
+					const fallbackKey = context.sessionKey;
 					const goal =
 						typeof parsedGoalBody?.goal === "string" ? parsedGoalBody.goal : null;
-					accountManager.recordSuccess(refreshed.account, context.family, context.model);
-					await persistRuntimeActiveAccount(
-						accountManager,
-						refreshed.account,
-						context.family,
-					);
+					if (!fallbackKey) {
+						await usageRecorder.record({
+							outcome: "failure",
+							statusCode: HTTP_STATUS.BAD_REQUEST,
+							errorCode: "thread_goal_session_key_required",
+							account: refreshed.account,
+						});
+						writeJson(res, HTTP_STATUS.BAD_REQUEST, {
+							error: {
+								message:
+									"Thread goal fallback requires a thread_id, threadId, or session header.",
+								code: "thread_goal_session_key_required",
+							},
+						});
+						return;
+					}
 					await usageRecorder.record({
-						outcome: "success",
-						statusCode: HTTP_STATUS.OK,
+						outcome: "failure",
+						statusCode: upstream.status,
+						errorCode: "thread_goal_upstream_blocked",
 						account: refreshed.account,
 					});
 					if (context.upstreamPath.endsWith("/set")) {
@@ -1164,6 +1179,23 @@ export async function startRuntimeRotationProxy(
 					return;
 				}
 
+				if (isThreadGoalRequest && upstream.status >= 400) {
+					const forwarded = await forwardStreamingResponse(
+						upstream,
+						res,
+						status,
+						() => undefined,
+						streamStallTimeoutMs,
+					);
+					await usageRecorder.record({
+						outcome: "failure",
+						statusCode: upstream.status,
+						errorCode: forwarded ? "thread_goal_upstream_error" : "stream_forward_failed",
+						account: refreshed.account,
+					});
+					return;
+				}
+
 				accountManager.recordSuccess(refreshed.account, context.family, context.model);
 				const nearExhaustionWaitMs = getQuotaNearExhaustionWaitMs(
 					upstream.headers,

scripts/codex.js

@@ -89,6 +89,7 @@ const shadowHomeCleanupRetryMarkerDir =
 	(process.env.CODEX_MULTI_AUTH_TEST_SHADOW_RETRY_MARKER_DIR ?? "").trim();
 let warnedInvalidRuntimeRotationProxyEnv = false;
 let warnedPendingAccountReadIdOverflow = false;
+let warnedShadowHomeSqliteLinkFailure = false;
 
 async function loadRuntimeConstants() {
 	const fallback = {
@@ -1906,15 +1907,19 @@ function shouldMaterializeFileIntoShadowHome(name) {
 	return /\.sqlite(?:-(?:shm|wal))?$/i.test(name);
 }
 
-function materializeFileIntoShadowHome(sourcePath, destinationPath, tightenFile) {
+function materializeFileIntoShadowHome(sourcePath, destinationPath) {
 	try {
 		linkSync(sourcePath, destinationPath);
-		return;
+		return true;
 	} catch {
-		// Hard links make SQLite roots look local without copying an active DB.
+		if (!warnedShadowHomeSqliteLinkFailure) {
+			warnedShadowHomeSqliteLinkFailure = true;
+			console.error(
+				"codex-multi-auth: skipped SQLite shadow-home materialization because hard-linking failed; refusing to copy active SQLite state.",
+			);
+		}
 	}
-	copyFileSync(sourcePath, destinationPath);
-	tightenFile(destinationPath);
+	return false;
 }
 
 function collectShadowHomeSyncFileNames(shadowCodexHome, syncFileNames) {
@@ -2120,7 +2125,7 @@ function createShadowHomeMirror(
 						copyFileSync(sourcePath, destinationPath);
 						tightenFile(destinationPath);
 					} else if (shouldMaterializeFile) {
-						materializeFileIntoShadowHome(sourcePath, destinationPath, tightenFile);
+						materializeFileIntoShadowHome(sourcePath, destinationPath);
 					} else {
 						mirrorFileIntoShadowHome(sourcePath, destinationPath, tightenFile);
 					}
@@ -2881,10 +2886,8 @@ async function createRuntimeRotationAppHelperContext(
 
 	const cleanup = async ({ exitCode } = {}) => {
 		const livedMs = Date.now() - startedAt;
-		if (
-			options.detachOnExit === true ||
-			(exitCode === 0 && livedMs < detachGraceMs)
-		) {
+		const exitedSuccessfully = exitCode === 0 || exitCode === null || exitCode === undefined;
+		if (exitedSuccessfully && (options.detachOnExit === true || livedMs < detachGraceMs)) {
 			helper.stdout?.destroy();
 			helper.stderr?.destroy();
 			helper.unref();

test/codex-bin-wrapper.test.ts

@@ -14,7 +14,14 @@ import {
 	writeFileSync,
 } from "node:fs";
 import { tmpdir } from "node:os";
-import { delimiter, dirname, join } from "node:path";
+import {
+	delimiter,
+	dirname,
+	isAbsolute,
+	join,
+	relative,
+	resolve,
+} from "node:path";
 import process from "node:process";
 import { fileURLToPath, pathToFileURL } from "node:url";
 import { afterEach, describe, expect, it } from "vitest";
@@ -1043,9 +1050,11 @@ describe("codex bin wrapper", () => {
 		const shadowHomeMatch = output.match(/^CODEX_HOME:(.+)$/m);
 		expect(shadowHomeMatch?.[1]).toBeTruthy();
 		if (shadowHomeMatch?.[1]) {
-			expect(shadowHomeMatch[1]).toContain(
-				join(originalHome, "multi-auth", "runtime-shadow-homes"),
-			);
+			const expectedRoot = resolve(originalHome, "multi-auth", "runtime-shadow-homes");
+			const actual = resolve(shadowHomeMatch[1]);
+			const shadowRelativePath = relative(expectedRoot, actual);
+			expect(shadowRelativePath).not.toMatch(/^\.\.(?:[\\/]|$)/);
+			expect(isAbsolute(shadowRelativePath)).toBe(false);
 			expect(existsSync(shadowHomeMatch[1])).toBe(false);
 		}
 		expect(readFileSync(markerPath, "utf8")).toBe(
@@ -1805,6 +1814,42 @@ describe("codex bin wrapper", () => {
 		expect(marker).toContain("close\n");
 	});
 
+	it("stops detached TUI app helpers after failed launches", async () => {
+		const fixtureRoot = createWrapperFixture();
+		createRuntimeRotationProxyFixtureModule(fixtureRoot);
+		const fakeBin = createCustomFakeCodexBin(fixtureRoot, [
+			"#!/usr/bin/env node",
+			'console.error("tui failed");',
+			"process.exit(1);",
+		]);
+		const originalHome = join(fixtureRoot, "codex-home");
+		const markerPath = join(fixtureRoot, "proxy-marker.txt");
+		mkdirSync(originalHome, { recursive: true });
+		writeFileSync(
+			join(originalHome, "config.toml"),
+			'model_provider = "openai"\n',
+			"utf8",
+		);
+
+		const result = runWrapper(fixtureRoot, [], {
+			CODEX_MULTI_AUTH_REAL_CODEX_BIN: fakeBin,
+			CODEX_HOME: originalHome,
+			CODEX_MULTI_AUTH_RUNTIME_ROTATION_PROXY: "1",
+			CODEX_MULTI_AUTH_APP_ROTATION_IDLE_MS: "10000",
+			CODEX_MULTI_AUTH_TEST_PROXY_MARKER: markerPath,
+			CODEX_MULTI_AUTH_TEST_PROXY_MARKER_PID: "1",
+			OPENAI_API_KEY: undefined,
+		});
+
+		expect(result.status).toBe(1);
+		const marker = readFileSync(markerPath, "utf8");
+		const helperPid = Number(
+			marker.match(/^start:http:\/\/127\.0\.0\.1:4567:pid=(\d+)$/m)?.[1] ?? NaN,
+		);
+		expect(Number.isFinite(helperPid)).toBe(true);
+		expect(isProcessAlive(helperPid)).toBe(false);
+	});
+
 	it("writes app router status files with owner-only permissions", async () => {
 		const fixtureRoot = createWrapperFixture();
 		createRuntimeRotationProxyFixtureModule(fixtureRoot);

test/runtime-rotation-proxy.test.ts

@@ -632,6 +632,30 @@ describe("runtime rotation proxy", () => {
 		]);
 	});
 
+	it("rejects anonymous blocked thread goal fallbacks instead of sharing state", async () => {
+		const now = Date.now();
+		const accountManager = new AccountManager(undefined, createStorage(now));
+		const { calls, fetchImpl } = createRecordingFetch(
+			() =>
+				new Response("<html>blocked</html>", {
+					status: HTTP_STATUS.FORBIDDEN,
+					headers: { "content-type": "text/html" },
+				}),
+		);
+		const proxy = await startProxy({ accountManager, fetchImpl });
+
+		const response = await postThreadGoal(proxy, { goal: "ship it" }, "/thread/goal/set");
+
+		expect(response.status).toBe(HTTP_STATUS.BAD_REQUEST);
+		expect(await response.json()).toEqual({
+			error: {
+				message: "Thread goal fallback requires a thread_id, threadId, or session header.",
+				code: "thread_goal_session_key_required",
+			},
+		});
+		expect(calls).toHaveLength(1);
+	});
+
 	it("keys blocked GET thread goal fallbacks by query thread id", async () => {
 		const now = Date.now();
 		const accountManager = new AccountManager(undefined, createStorage(now));
@@ -659,6 +683,88 @@ describe("runtime rotation proxy", () => {
 		]);
 	});
 
+	it("passes through non-fallback thread goal client errors", async () => {
+		const now = Date.now();
+		const accountManager = new AccountManager(undefined, createStorage(now));
+		const recordSuccessSpy = vi.spyOn(accountManager, "recordSuccess");
+		const { calls, fetchImpl } = createRecordingFetch(
+			() =>
+				new Response('{"error":{"code":"bad_goal"}}\n', {
+					status: HTTP_STATUS.BAD_REQUEST,
+					headers: { "content-type": "application/json" },
+				}),
+		);
+		const proxy = await startProxy({ accountManager, fetchImpl });
+
+		const response = await postThreadGoal(
+			proxy,
+			{ threadId: "thread-1", goal: "" },
+			"/thread/goal/set",
+		);
+
+		expect(response.status).toBe(HTTP_STATUS.BAD_REQUEST);
+		expect(await response.text()).toBe('{"error":{"code":"bad_goal"}}\n');
+		expect(calls).toHaveLength(1);
+		expect(recordSuccessSpy).not.toHaveBeenCalled();
+	});
+
+	it("rejects unauthenticated thread goal requests", async () => {
+		const now = Date.now();
+		const accountManager = new AccountManager(undefined, createStorage(now));
+		const { calls, fetchImpl } = createRecordingFetch(
+			() => new Response('{"ok":true}', { status: HTTP_STATUS.OK }),
+		);
+		const proxy = await startProxy({ accountManager, fetchImpl });
+
+		const response = await postThreadGoal(
+			proxy,
+			{ threadId: "thread-1" },
+			"/thread/goal/get",
+			{ authorization: "Bearer caller-token", "x-api-key": "caller-key" },
+		);
+
+		expect(response.status).toBe(HTTP_STATUS.UNAUTHORIZED);
+		expect(calls).toHaveLength(0);
+	});
+
+	it("isolates local thread goal fallback state across concurrent threads", async () => {
+		const now = Date.now();
+		const accountManager = new AccountManager(undefined, createStorage(now));
+		const { calls, fetchImpl } = createRecordingFetch(
+			() =>
+				new Response("<html>blocked</html>", {
+					status: HTTP_STATUS.FORBIDDEN,
+					headers: { "content-type": "text/html" },
+				}),
+		);
+		const proxy = await startProxy({ accountManager, fetchImpl });
+
+		const [setA, setB] = await Promise.all([
+			postThreadGoal(proxy, { threadId: "thread-a", goal: "goal-a" }, "/thread/goal/set"),
+			postThreadGoal(proxy, { threadId: "thread-b", goal: "goal-b" }, "/thread/goal/set"),
+		]);
+		const [getA, getB] = await Promise.all([
+			postThreadGoal(proxy, { threadId: "thread-a" }, "/thread/goal/get"),
+			postThreadGoal(proxy, { threadId: "thread-b" }, "/thread/goal/get"),
+		]);
+
+		expect(setA.status).toBe(HTTP_STATUS.OK);
+		expect(setB.status).toBe(HTTP_STATUS.OK);
+		expect(await getA.json()).toEqual({ goal: "goal-a" });
+		expect(await getB.json()).toEqual({ goal: "goal-b" });
+		expect(calls).toHaveLength(4);
+		expect(
+			calls.filter(
+				(call) => call.url === "https://example.test/backend-api/codex/thread/goal/set",
+			),
+		).toHaveLength(2);
+		expect(
+			calls.filter(
+				(call) => call.url === "https://example.test/backend-api/codex/thread/goal/get",
+			),
+		).toHaveLength(2);
+	});
+
 	it("rejects unauthenticated model discovery requests", async () => {
 		const now = Date.now();
 		const accountManager = new AccountManager(undefined, createStorage(now));