fix(request): block private account headers by prefix and stop fabricating a pinned index

Two review findings on the extracted modules, both pre-existing behavior
moved verbatim by the phase-1 carve, fixed here to keep that PR
zero-behavior-change:

- responseHeadersForClient filtered account metadata by an exact-name
  allowlist, so a future x-codex-multi-auth-account-* header would leak
  to clients by default. The filter now blocks the whole prefix.
- buildPinnedUnavailableErrorBody rendered a null pinned index (the
  desync path) as "Pinned account 1" while the machine-readable
  pinnedAccountIndex stayed null. The message now says "The pinned
  account" when the index is unknown.

Tests updated/added for both, including the pre-existing null-index pin
in test/issue-474-pin-honored.test.ts.

https://claude.ai/code/session_01XNtnkLbBiXZxfQQYLMpucB

Author: claude

lib/request/rate-limit-decision.ts

@@ -195,9 +195,14 @@ export function buildPinnedUnavailableErrorBody(
 			? accountSkipReasons.get(normalizedPinnedIndex) ?? null
 			: null;
 	const reasonSuffix = skipReason ? ` (${skipReason})` : "";
-	const displayIndex = (normalizedPinnedIndex ?? 0) + 1;
+	// On the desync path the pin index is unknown (null); claiming "account 1"
+	// there would contradict the machine-readable pinnedAccountIndex: null.
+	const accountPhrase =
+		normalizedPinnedIndex === null
+			? "The pinned account"
+			: `Pinned account ${normalizedPinnedIndex + 1}`;
 	return {
-		message: `Pinned account ${displayIndex} is currently unavailable${reasonSuffix}; run \`codex-multi-auth status\` for details, or \`codex-multi-auth unpin\` to allow rotation.`,
+		message: `${accountPhrase} is currently unavailable${reasonSuffix}; run \`codex-multi-auth status\` for details, or \`codex-multi-auth unpin\` to allow rotation.`,
 		code: "codex_pinned_account_unavailable",
 		pinnedAccountIndex: normalizedPinnedIndex,
 		reason: skipReason,

lib/request/stream-failover-runtime.ts

@@ -13,12 +13,11 @@ export const HOP_BY_HOP_HEADERS = new Set([
 	"transfer-encoding",
 	"upgrade",
 ]);
-const PRIVATE_CLIENT_RESPONSE_HEADERS = new Set([
-	"x-codex-multi-auth-account-index",
-	"x-codex-multi-auth-account-label",
-	"x-codex-multi-auth-account-email",
-	"x-codex-multi-auth-account-id",
-]);
+// Any header under this prefix carries account-identifying rotation metadata
+// (index/label/email/id today) and must never reach the client; matching by
+// prefix means a future header added under it is blocked by default instead
+// of leaking until someone remembers to extend an allowlist.
+const PRIVATE_CLIENT_RESPONSE_HEADER_PREFIX = "x-codex-multi-auth-account-";
 const DECODED_UPSTREAM_RESPONSE_HEADERS = new Set([
 	// Node fetch returns decoded bytes while preserving the upstream encoding header.
 	"content-encoding",
@@ -29,7 +28,7 @@ export function responseHeadersForClient(upstreamHeaders: Headers): Record<strin
 	for (const [key, value] of upstreamHeaders.entries()) {
 		const normalizedKey = key.toLowerCase();
 		if (HOP_BY_HOP_HEADERS.has(normalizedKey)) continue;
-		if (PRIVATE_CLIENT_RESPONSE_HEADERS.has(normalizedKey)) continue;
+		if (normalizedKey.startsWith(PRIVATE_CLIENT_RESPONSE_HEADER_PREFIX)) continue;
 		if (DECODED_UPSTREAM_RESPONSE_HEADERS.has(normalizedKey)) continue;
 		headers[key] = value;
 	}

test/issue-474-pin-honored.test.ts

@@ -719,7 +719,10 @@ describe("issue #474 — manual pin honored by runtime proxy", () => {
 			);
 			expect(body.pinnedAccountIndex).toBeNull();
 			expect(body.reason).toBeNull();
-			expect(body.message).toContain("Pinned account 1");
+			// The desync path must not fabricate an index that contradicts the
+			// machine-readable pinnedAccountIndex: null.
+			expect(body.message).toContain("The pinned account is currently unavailable;");
+			expect(body.message).not.toContain("Pinned account 1");
 		});
 
 		it("mirrors the full accountSkipReasons map even when the pinned entry is unknown", () => {

test/rate-limit-decision.test.ts

@@ -275,11 +275,14 @@ describe("buildPinnedUnavailableErrorBody", () => {
 		expect(body.account_skip_reasons).toEqual({ "0": "rate-limited", "1": "disabled" });
 	});
 
-	it("omits the parenthetical and reason on the null-index desync path", () => {
+	it("omits the index, parenthetical, and reason on the null-index desync path", () => {
+		// Regression: the message used to render the null index as "Pinned
+		// account 1", contradicting the machine-readable pinnedAccountIndex.
 		const body = buildPinnedUnavailableErrorBody(null, new Map());
 		expect(body.pinnedAccountIndex).toBeNull();
 		expect(body.reason).toBeNull();
-		expect(body.message).toContain("Pinned account 1 is currently unavailable;");
+		expect(body.message).toContain("The pinned account is currently unavailable;");
+		expect(body.message).not.toContain("Pinned account 1");
 		expect(body.message).not.toContain("(");
 		expect(body.account_skip_reasons).toEqual({});
 	});

test/stream-failover-runtime.test.ts

@@ -96,6 +96,19 @@ describe("responseHeadersForClient", () => {
 		});
 	});
 
+	it("blocks any header under the private account prefix, not just known names", () => {
+		// Regression: the filter used to be an exact-name allowlist, so a future
+		// x-codex-multi-auth-account-* header would have leaked by default.
+		const upstream = new Headers({
+			"content-type": "application/json",
+			"x-codex-multi-auth-account-plan": "pro",
+			"X-Codex-Multi-Auth-Account-Future-Field": "secret",
+		});
+		expect(responseHeadersForClient(upstream)).toEqual({
+			"content-type": "application/json",
+		});
+	});
+
 	it("covers every hop-by-hop header in the exported set", () => {
 		const upstream = new Headers();
 		for (const name of HOP_BY_HOP_HEADERS) {