chore: release v2.1.13-beta.2 (#496) (#497) (#498)

ndycode · claude · web-flow · commit 70ab38adf7e2 · 2026-05-31T22:23:11.000+08:00
Prerelease that ships the cascade OAuth token-invalidation fix from issue #495 to npm under the `beta` dist-tag: the 401 handler now detects explicit token-invalidation responses and returns them to the client instead of rotating through every account (the rotation itself was tripping OpenAI's anti-abuse detection and invalidating accounts in sequence). Invalidated accounts get a monotonic 5-minute cooldown, session affinity is cleared, and both invalidation exit paths emit a consistent token_invalidated error body. Also adds a configurable minRotationIntervalMs sticky window. Carries forward multi-workspace support (beta.1) and the pinned-account 503 diagnostic (beta.0). Stable v2.1.13 will land once the issue #486 root cause is identified and patched. Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
diff --git a/.codex-plugin/plugin.json b/.codex-plugin/plugin.json
@@ -1,6 +1,6 @@
 {
   "name": "codex-multi-auth",
-  "version": "2.1.13-beta.1",
+  "version": "2.1.13-beta.2",
   "description": "Install and operate codex-multi-auth for the official @openai/codex CLI with multi-account OAuth rotation, switching, health checks, and recovery tools.",
   "interface": {
     "composerIcon": "./assets/codex-multi-auth-icon.svg"
diff --git a/README.md b/README.md
@@ -383,7 +383,7 @@ codex-multi-auth doctor --json
 
 ## Release Notes
 
-- Current prerelease: [docs/releases/v2.1.13-beta.1.md](docs/releases/v2.1.13-beta.1.md) — install via `npm i -g codex-multi-auth@beta`
+- Current prerelease: [docs/releases/v2.1.13-beta.2.md](docs/releases/v2.1.13-beta.2.md) — install via `npm i -g codex-multi-auth@beta`
 - Current stable: [docs/releases/v2.1.12.md](docs/releases/v2.1.12.md)
 - Previous stable: [docs/releases/v2.1.11.md](docs/releases/v2.1.11.md)
 - Earlier stable: [docs/releases/v2.1.10.md](docs/releases/v2.1.10.md)
diff --git a/docs/README.md b/docs/README.md
@@ -32,7 +32,7 @@ Public documentation for the `codex-multi-auth` Codex CLI multi-account OAuth ma
 
 | Document | Focus |
 | --- | --- |
-| [releases/v2.1.13-beta.1.md](releases/v2.1.13-beta.1.md) | Current prerelease notes (install via `npm i -g codex-multi-auth@beta`) |
+| [releases/v2.1.13-beta.2.md](releases/v2.1.13-beta.2.md) | Current prerelease notes (install via `npm i -g codex-multi-auth@beta`) |
 | [releases/v2.1.12.md](releases/v2.1.12.md) | Current stable release notes |
 | [releases/v2.1.11.md](releases/v2.1.11.md) | Prior stable release notes |
 | [releases/v2.1.10.md](releases/v2.1.10.md) | Earlier stable release notes |
diff --git a/docs/releases/v2.1.13-beta.2.md b/docs/releases/v2.1.13-beta.2.md
@@ -0,0 +1,80 @@
+# v2.1.13-beta.2
+
+Beta prerelease that fixes the cascade OAuth token invalidation from issue #495:
+the rotation gateway was invalidating healthy accounts one after another by
+presenting each account's OAuth token from the same IP in rapid succession,
+tripping OpenAI's anti-abuse detection. The 401 handler now detects explicit
+token-invalidation responses and stops rotating instead of cascading through
+every account.
+
+This is a **prerelease** and also carries the multi-workspace support from
+v2.1.13-beta.1 and the pinned-account 503 diagnostic from v2.1.13-beta.0. Stable
+`v2.1.13` will land once the issue #486 root cause is identified and patched.
+
+## Install
+
+```bash
+npm i -g codex-multi-auth@beta
+```
+
+## Runtime rotation
+
+### Fixes
+
+- **Detect token invalidation in 401 responses.** The 401 handler now reads the
+  response body and checks for explicit invalidation phrases (e.g.
+  `invalidated oauth token`, `authentication token has been invalidated`),
+  distinguishing them from generic expired-token 401s.
+- **Stop cascade rotation on invalidation.** When an invalidation is detected the
+  401 is returned directly to the client instead of rotating to the next account.
+  Rotating was the root cause of #495 — presenting each account's OAuth token from
+  the same IP in quick succession triggered OpenAI's anti-abuse detection and
+  invalidated the tokens in sequence. Generic 401s (expired tokens, wrong
+  credentials) continue to rotate as before.
+- **Apply a long cooldown on invalidation.** Invalidated accounts get a 5-minute
+  cooldown (`CODEX_AUTH_TOKEN_INVALIDATION_COOLDOWN_MS` /
+  `tokenInvalidationCooldownMs`) versus the generic 30-second auth-failure
+  cooldown. The cooldown is monotonic — it only extends, never shortens — so a
+  racing generic 401 cannot truncate an invalidation cooldown.
+- **Clear session affinity on invalidation.** Affinity for the affected session
+  key is cleared so the next request can pick a healthy account.
+- **Consistent client error contract.** Both invalidation exit paths
+  (refresh-failure and upstream-401) emit the same
+  `{ error: { message, code: "token_invalidated" } }` body through a single
+  shared builder, preserving the upstream human-readable message when present and
+  falling back to a stable message for non-JSON bodies.
+
+### Features
+
+- **`minRotationIntervalMs` sticky window.** A configurable sliding anchor
+  (`CODEX_AUTH_MIN_ROTATION_INTERVAL_MS` / `minRotationIntervalMs`, default 60s)
+  boosts the last-served account so back-to-back requests are less likely to
+  present a different OAuth token from the same IP within the window. The anchor
+  refreshes on every successful serve, not only on account change.
+
+## Release Hygiene
+
+### Tests
+
+- Upstream-401 invalidation returns 401 to the client, applies the ~5-minute
+  cooldown, clears affinity, and does not rotate; generic 401 still rotates
+  (regression guard); empty and HTML bodies handled.
+- Refresh-endpoint invalidation returns `code: "token_invalidated"` and routes
+  through the shared body builder.
+- Eight unit cases for the invalidation body builder cover every
+  message-extraction branch (top-level message, nested `error.message`,
+  top-level-wins priority, blank-to-nested fallback, non-JSON body, and the
+  no-usable-message fallback).
+- `minRotationIntervalMs` sliding-anchor and sticky-window coverage; schema and
+  config coverage for both new knobs (`min(0)`, allows-zero, rejects-string).
+
+## Known Gaps
+
+- The issue #486 503 root cause (doctor reports all green, runtime still returns
+  503) is **not** fixed by this prerelease; stable `v2.1.13` remains gated on it.
+
+## Refs
+
+- Issue #495 — `Rotation gateway triggers mass OAuth token invalidation across accounts`
+- PR #496 — `fix: detect token invalidation in 401 responses and stop cascade rotation`
+- PR #497 — `fix(runtime): emit consistent token_invalidated body on upstream-401 path`
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "codex-multi-auth",
-	"version": "2.1.13-beta.1",
+	"version": "2.1.13-beta.2",
 	"description": "Codex CLI multi-account OAuth manager with account switching, health checks, runtime rotation, diagnostics, and recovery tools for @openai/codex",
 	"main": "./dist/index.js",
 	"types": "./dist/index.d.ts",

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "codex-multi-auth",`
`3`		`- "version": "2.1.13-beta.1",`
	`3`	`+ "version": "2.1.13-beta.2",`
`4`	`4`	`"description": "Install and operate codex-multi-auth for the official @openai/codex CLI with multi-account OAuth rotation, switching, health checks, and recovery tools.",`
`5`	`5`	`"interface": {`
`6`	`6`	`"composerIcon": "./assets/codex-multi-auth-icon.svg"`