Merge PR #90: fix: preserve business accounts that share a workspace accountId

fix: preserve business accounts that share a workspace accountId

Author: ndycode

README.md

@@ -278,9 +278,9 @@ codex auth doctor --json
 
 ## Release Notes
 
-- Current stable: [docs/releases/v0.1.5.md](docs/releases/v0.1.5.md)
-- Previous stable: [docs/releases/v0.1.4.md](docs/releases/v0.1.4.md)
-- Earlier stable: [docs/releases/v0.1.3.md](docs/releases/v0.1.3.md)
+- Current stable: [docs/releases/v0.1.9.md](docs/releases/v0.1.9.md)
+- Previous stable: [docs/releases/v0.1.8.md](docs/releases/v0.1.8.md)
+- Earlier stable: [docs/releases/v0.1.7.md](docs/releases/v0.1.7.md)
 - Archived prerelease: [docs/releases/v0.1.0-beta.0.md](docs/releases/v0.1.0-beta.0.md)
 
 ## License

docs/README.md

@@ -26,9 +26,10 @@ Public documentation for `codex-multi-auth`.
 | [troubleshooting.md](troubleshooting.md) | Recovery playbooks for install, login, switching, and stale state |
 | [privacy.md](privacy.md) | Data handling and local storage behavior |
 | [upgrade.md](upgrade.md) | Migration from legacy package and path history |
-| [releases/v0.1.8.md](releases/v0.1.8.md) | Stable release notes |
-| [releases/v0.1.7.md](releases/v0.1.7.md) | Previous stable release notes |
-| [releases/v0.1.6.md](releases/v0.1.6.md) | Earlier stable release notes |
+| [releases/v0.1.9.md](releases/v0.1.9.md) | Stable release notes |
+| [releases/v0.1.8.md](releases/v0.1.8.md) | Previous stable release notes |
+| [releases/v0.1.7.md](releases/v0.1.7.md) | Earlier stable release notes |
+| [releases/v0.1.6.md](releases/v0.1.6.md) | Archived stable release notes |
 | [releases/v0.1.5.md](releases/v0.1.5.md) | Archived stable release notes |
 | [releases/v0.1.0-beta.0.md](releases/v0.1.0-beta.0.md) | Archived prerelease notes |
 
@@ -43,7 +44,7 @@ Public documentation for `codex-multi-auth`.
 | [reference/storage-paths.md](reference/storage-paths.md) | Canonical and compatibility storage paths |
 | [reference/public-api.md](reference/public-api.md) | Public API stability and semver contract |
 | [reference/error-contracts.md](reference/error-contracts.md) | CLI, JSON, and helper error semantics |
-| [releases/v0.1.8.md](releases/v0.1.8.md) | Current stable release notes |
+| [releases/v0.1.9.md](releases/v0.1.9.md) | Current stable release notes |
 | [releases/v0.1.0-beta.0.md](releases/v0.1.0-beta.0.md) | Archived prerelease reference |
 | [User Guides release notes](#user-guides) | Stable, previous, and archived release notes |
 | [releases/legacy-pre-0.1-history.md](releases/legacy-pre-0.1-history.md) | Archived pre-0.1 changelog history |

docs/releases/v0.1.9.md

@@ -0,0 +1,71 @@
+# Release v0.1.9
+
+Release date: 2026-03-13
+Channel: `latest`
+
+## Highlights
+
+- Preserved distinct business accounts that share a workspace `accountId` so no-email login, refresh, and restore paths stop overwriting sibling seats.
+- Aligned guarded identity matching across runtime login, CLI recovery, storage normalization, import preview/apply, and entitlement tracking.
+- Hardened rollback and regression coverage for concurrent persistence, flagged-account recovery, malformed-token rows, and shared-workspace edge cases.
+
+## Install
+
+```bash
+npm i -g @openai/codex
+npm i -g codex-multi-auth
+```
+
+## Core Operations
+
+```bash
+codex auth login
+codex auth list
+codex auth status
+codex auth check
+codex auth forecast --live
+```
+
+## Validation Snapshot
+
+Release gate commands:
+
+- `npm run clean:repo:check`
+- `npm run audit:ci`
+- `npm run lint`
+- `npm test -- test/documentation.test.ts`
+- `npm test -- test/accounts.test.ts test/oc-chatgpt-import-adapter.test.ts test/index.test.ts test/storage.test.ts test/codex-manager-cli.test.ts test/entitlement-cache.test.ts`
+
+Broad validation result:
+
+- `repo-hygiene check passed`
+- `npm run audit:ci` passed at the configured high-severity threshold; the remaining `hono` advisory stayed below that gate
+- `npm run lint` passed
+- `19/19` documentation integrity tests passed after promoting the new stable release notes
+- `6/6` targeted shared-account regression suites passed (`405/405` tests)
+
+Known baseline blockers observed during release validation:
+
+- `npm run typecheck` fails on both `origin/main` and this release branch because the workspace cannot currently resolve `@codex-ai/plugin/tool` and already carries unrelated TypeScript errors outside `#90`
+- `npm run build` remains blocked by the same pre-existing typecheck baseline
+
+## Merged PRs
+
+- `#90` `fix: preserve business accounts that share a workspace accountId`
+
+## Commits
+
+- PR `#90` carries the guarded account-identity matching fixes and regression coverage that preserve shared-workspace business accounts across login, import, flagged recovery, storage normalization, and entitlement tracking.
+- The release bump in this branch promotes `0.1.9` in package metadata and refreshes the stable release-note links in the root docs surfaces.
+
+## Notes
+
+- Bare `accountId` fallback now only applies when the no-email case is unambiguous.
+- Entitlement cache identity now prefers the fresh email resolved from the latest token material and avoids refresh-token-derived keys.
+- CLI and runtime persistence paths now share the same guarded account matching behavior for shared-workspace business accounts.
+
+## Related
+
+- [../getting-started.md](../getting-started.md)
+- [../upgrade.md](../upgrade.md)
+- [../reference/commands.md](../reference/commands.md)

index.ts

@@ -129,7 +129,7 @@ import {
 	loadFlaggedAccounts,
 	saveFlaggedAccounts,
 	clearFlaggedAccounts,
-	normalizeEmailKey,
+	findMatchingAccountIndex,
 	StorageError,
 	formatStorageErrorHint,
 	setStorageBackupEnabled,
@@ -526,24 +526,6 @@ export const OpenAIOAuthPlugin: Plugin = async ({ client }: PluginInput) => {
 					const stored = replaceAll ? null : loadedStorage;
 					const accounts = stored?.accounts ? [...stored.accounts] : [];
 
-					const indexByRefreshToken = new Map<string, number>();
-					const indexByAccountId = new Map<string, number>();
-					const indexByEmail = new Map<string, number>();
-					for (let i = 0; i < accounts.length; i += 1) {
-						const account = accounts[i];
-						if (!account) continue;
-						if (account.refreshToken) {
-							indexByRefreshToken.set(account.refreshToken, i);
-						}
-						if (account.accountId) {
-							indexByAccountId.set(account.accountId, i);
-						}
-						const emailKey = normalizeEmailKey(account.email);
-						if (emailKey) {
-							indexByEmail.set(emailKey, i);
-						}
-					}
-
 					for (const result of results) {
 						const accountId = result.accountIdOverride ?? extractAccountId(result.access);
 						const accountIdSource =
@@ -553,19 +535,15 @@ export const OpenAIOAuthPlugin: Plugin = async ({ client }: PluginInput) => {
 								: undefined;
 						const accountLabel = result.accountLabel;
 						const accountEmail = sanitizeEmail(extractAccountEmail(result.access, result.idToken));
-						const existingByEmail =
-							accountEmail && indexByEmail.has(accountEmail)
-								? indexByEmail.get(accountEmail)
-								: undefined;
-						const existingById =
-							accountId && indexByAccountId.has(accountId)
-								? indexByAccountId.get(accountId)
-								: undefined;
-						const existingByToken = indexByRefreshToken.get(result.refresh);
-						const existingIndex = existingById ?? existingByEmail ?? existingByToken;
+						const existingIndex = findMatchingAccountIndex(accounts, {
+							accountId,
+							email: accountEmail,
+							refreshToken: result.refresh,
+						}, {
+							allowUniqueAccountIdFallbackWithoutEmail: true,
+						});
 
 						if (existingIndex === undefined) {
-							const newIndex = accounts.length;
 							accounts.push({
 								accountId,
 								accountIdSource,
@@ -577,21 +555,12 @@ export const OpenAIOAuthPlugin: Plugin = async ({ client }: PluginInput) => {
 								addedAt: now,
 								lastUsed: now,
 							});
-							indexByRefreshToken.set(result.refresh, newIndex);
-							if (accountId) {
-								indexByAccountId.set(accountId, newIndex);
-							}
-							if (accountEmail) {
-								indexByEmail.set(accountEmail, newIndex);
-							}
 							continue;
 						}
 
 						const existing = accounts[existingIndex];
 						if (!existing) continue;
 
-						const oldToken = existing.refreshToken;
-						const oldEmail = existing.email;
 						const nextEmail = accountEmail ?? sanitizeEmail(existing.email);
 						const nextAccountId = accountId ?? existing.accountId;
 						const nextAccountIdSource =
@@ -608,21 +577,6 @@ export const OpenAIOAuthPlugin: Plugin = async ({ client }: PluginInput) => {
 							expiresAt: result.expires,
 							lastUsed: now,
 						};
-						if (oldToken !== result.refresh) {
-							indexByRefreshToken.delete(oldToken);
-							indexByRefreshToken.set(result.refresh, existingIndex);
-						}
-						if (accountId) {
-							indexByAccountId.set(accountId, existingIndex);
-						}
-						const oldEmailKey = normalizeEmailKey(oldEmail);
-						const nextEmailKey = normalizeEmailKey(nextEmail);
-						if (oldEmailKey && oldEmailKey !== nextEmailKey) {
-							indexByEmail.delete(oldEmailKey);
-						}
-						if (nextEmailKey) {
-							indexByEmail.set(nextEmailKey, existingIndex);
-						}
 					}
 
 					if (accounts.length === 0) return;
@@ -1407,6 +1361,7 @@ export const OpenAIOAuthPlugin: Plugin = async ({ client }: PluginInput) => {
 										const accountCount = accountManager.getAccountCount();
 										const attempted = new Set<number>();
 										let restartAccountTraversalWithFallback = false;
+										let retryNextAccountBeforeFallback = false;
 										let usedPreferredSessionAccount = false;
 										const capabilityBoostByAccount: Record<number, number> = {};
 										type AccountSnapshotCandidate = {
@@ -1547,11 +1502,6 @@ while (attempted.size < Math.max(1, accountCount)) {
 						account.accountIdSource,
 						tokenAccountId,
 					);
-					const entitlementAccountKey = resolveEntitlementAccountKey({
-						accountId: hadAccountId ? account.accountId : undefined,
-						email: account.email,
-						index: account.index,
-					});
 						if (!accountId) {
 							accountManager.markAccountCoolingDown(
 								account,
@@ -1561,12 +1511,19 @@ while (attempted.size < Math.max(1, accountCount)) {
 							accountManager.saveToDiskDebounced();
 							continue;
 						}
+											const resolvedEmail =
+												extractAccountEmail(accountAuth.access) ?? account.email;
+											const entitlementAccountKey = resolveEntitlementAccountKey({
+												accountId: account.accountId ?? accountId,
+												email: resolvedEmail,
+												refreshToken: account.refreshToken,
+												index: account.index,
+											});
 											account.accountId = accountId;
 											if (!hadAccountId && tokenAccountId && accountId === tokenAccountId) {
 												account.accountIdSource = account.accountIdSource ?? "token";
 											}
-											account.email =
-												extractAccountEmail(accountAuth.access) ?? account.email;
+											account.email = resolvedEmail;
 											const entitlementBlock = entitlementCache.isBlocked(
 												entitlementAccountKey,
 												model ?? modelFamily,
@@ -1817,6 +1774,7 @@ while (attempted.size < Math.max(1, accountCount)) {
 						fallbackReason: "unsupported-model-entitlement",
 					},
 				);
+				retryNextAccountBeforeFallback = true;
 				break;
 			}
 
@@ -2338,7 +2296,10 @@ while (attempted.size < Math.max(1, accountCount)) {
 						if (successAccountForResponse.index !== account.index) {
 							accountManager.markSwitched(successAccountForResponse, "rotation", modelFamily);
 						}
-						const successAccountKey = resolveEntitlementAccountKey(successAccountForResponse);
+						const successAccountKey =
+							successAccountForResponse.index === account.index
+								? entitlementAccountKey
+								: resolveEntitlementAccountKey(successAccountForResponse);
 						accountManager.recordSuccess(successAccountForResponse, modelFamily, model);
 						capabilityPolicyStore.recordSuccess(
 							successAccountKey,
@@ -2357,6 +2318,11 @@ while (attempted.size < Math.max(1, accountCount)) {
 					}
 						return successResponse;
 																								}
+										if (retryNextAccountBeforeFallback) {
+											retryNextAccountBeforeFallback = false;
+											continue;
+										}
+
 										if (restartAccountTraversalWithFallback) {
 											break;
 										}
@@ -3263,12 +3229,25 @@ while (attempted.size < Math.max(1, accountCount)) {
 									const label = resolved.accountLabel ?? email ?? accountId ?? "Unknown account";
 									logInfo(`Authenticated as: ${label}`);
 
-									const isDuplicate = accounts.some(
-										(account) =>
-											(accountId &&
-												(account.accountIdOverride ?? extractAccountId(account.access)) === accountId) ||
-											(email && extractAccountEmail(account.access, account.idToken) === email),
-									);
+									const isDuplicate =
+										findMatchingAccountIndex(
+											accounts.map((account) => ({
+												accountId:
+													account.accountIdOverride ?? extractAccountId(account.access),
+												email: sanitizeEmail(
+													extractAccountEmail(account.access, account.idToken),
+												),
+												refreshToken: account.refresh,
+											})),
+											{
+												accountId,
+												email: sanitizeEmail(email),
+												refreshToken: resolved.refresh,
+											},
+											{
+												allowUniqueAccountIdFallbackWithoutEmail: true,
+											},
+										) !== undefined;
 
 									if (isDuplicate) {
 										logWarn(`WARNING: duplicate account login detected (${label}). Existing entry will be updated.`);
@@ -4163,5 +4142,3 @@ while (attempted.size < Math.max(1, accountCount)) {
 export const OpenAIAuthPlugin = OpenAIOAuthPlugin;
 
 export default OpenAIOAuthPlugin;
-
-