fix: 4 bugs found during deep stress test

ndycode · ndycode · commit 8d36a7440236 · 2026-06-11T01:09:23.000+08:00
[MEDIUM] lib/storage/flagged-storage.ts: normalizeFlaggedStorage was silently dropping workspaces, currentWorkspaceIndex, accessToken, and expiresAt from flagged accounts, defeating the Zod schema's .passthrough() intent and causing multi-workspace accounts to permanently lose their workspace list after a flag/restore round-trip. [MEDIUM] lib/codex-manager/login-menu-data.ts: refreshQuotaCacheForMenu had a dead catch block because loadQuotaCache() never throws — it returns empty maps on any read failure. When the persisted cache came back empty (e.g. transient lock), only this run's probed entries were saved, wiping all other accounts' still-valid quota data. Fixed by explicitly detecting the empty-load case and falling back to nextCache (the full in-memory clone). [HIGH] lib/runtime-rotation-proxy.ts: persistRuntimeActiveAccount advanced the sequential drain-first pointer via markSwitchedLocked in the legacy routing branch even when schedulingStrategy was 'sequential', defeating the #509 invariant. Added the same schedulingStrategy !== 'sequential' guard that the enabled branch already had. [MEDIUM] lib/runtime/rotation-token-refresh.ts: ensureFreshAccessToken could return an expired access token when commitRefreshedAuthOnce returned null (account missing from storage after persist), because updatedAccount fell back to the original account which still carried the old token. Fixed to use refreshResult.access (the just-issued token) in the null-commit case, while preserving the committed account's stored token on the success path (required for the dedup-commit case where two concurrent callers share one commit).
diff --git a/lib/codex-manager/login-menu-data.ts b/lib/codex-manager/login-menu-data.ts
@@ -219,22 +219,34 @@ export async function refreshQuotaCacheForMenu(
 		// entries meanwhile, and writing the stale clone back whole-file would
 		// silently discard them (last write wins). Re-apply this run's results
 		// onto the freshest persisted cache instead.
+		//
+		// loadQuotaCache() is documented to never throw — on any read failure it
+		// returns empty maps. We also guard the empty-maps case explicitly: if the
+		// persisted cache came back empty (read failure / empty file), fall back to
+		// nextCache so non-probed entries are not wiped. The try/catch handles any
+		// mocked or future implementation that does throw.
 		let cacheToSave = nextCache;
 		try {
 			const persisted = await loadQuotaCache();
-			for (const { account, snapshot } of appliedSnapshots) {
-				updateQuotaCacheForAccount(
-					persisted,
-					account,
-					snapshot,
-					storage.accounts,
-					emailFallbackState,
-				);
+			const persistedHasData =
+				Object.keys(persisted.byAccountId).length > 0 ||
+				Object.keys(persisted.byEmail).length > 0;
+			if (persistedHasData) {
+				for (const { account, snapshot } of appliedSnapshots) {
+					updateQuotaCacheForAccount(
+						persisted,
+						account,
+						snapshot,
+						storage.accounts,
+						emailFallbackState,
+					);
+				}
+				cacheToSave = persisted;
 			}
-			cacheToSave = persisted;
+			// else: persisted came back empty; keep cacheToSave = nextCache.
 		} catch {
-			// Fall back to the snapshot clone; saving slightly stale data beats
-			// dropping this run's probe results.
+			// loadQuotaCache threw (unexpected); fall back to the snapshot clone
+			// so non-probed entries survive.
 		}
 		try {
 			await saveQuotaCache(cacheToSave);
diff --git a/lib/runtime-rotation-proxy.ts b/lib/runtime-rotation-proxy.ts
@@ -293,6 +293,7 @@ async function persistRuntimeActiveAccount(
 	account: ManagedAccount,
 	family: ModelFamily,
 	isPinned: boolean,
+	schedulingStrategy: string,
 ): Promise<void> {
 	if (isPinned) {
 		// When the user has manually pinned an account, the proxy MUST NOT
@@ -319,7 +320,16 @@ async function persistRuntimeActiveAccount(
 		// `saveToDiskDebounced` + CLI sync still run in both modes: they snapshot the
 		// current in-memory state / mirror the CLI selection and do not advance the
 		// in-memory rotation cursor.
-		if (accountManager.getRoutingMutexMode() !== "enabled") {
+		//
+		// Sequential scheduling fix (#509): in "sequential" mode a within-request
+		// fallback to a different account must NOT advance the drain-first primary
+		// pointer — only a true primary-exhaustion in chooseAccount may do that.
+		// Apply the same guard here as the in-loop re-commit (lines 939-958) so
+		// the legacy branch cannot silently clobber the sequential drain order.
+		if (
+			accountManager.getRoutingMutexMode() !== "enabled" &&
+			schedulingStrategy !== "sequential"
+		) {
 			await accountManager.markSwitchedLocked(account, "rotation", family);
 		}
 		accountManager.saveToDiskDebounced();
@@ -1349,6 +1359,7 @@ async function handleRequestInner(
 				refreshed.account,
 				context.family,
 				isPinned && refreshed.account.index === pinnedIndex,
+				state.schedulingStrategy,
 			);
 
 			const forwarded = await forwardStreamingResponse(
diff --git a/lib/runtime/rotation-token-refresh.ts b/lib/runtime/rotation-token-refresh.ts
@@ -118,15 +118,27 @@ export async function ensureFreshAccessToken(params: {
 		expires: refreshResult.expires,
 	};
 	try {
-		const updatedAccount = (await commitRefreshedAuthOnce(
+		const updatedAccount = await commitRefreshedAuthOnce(
 			accountManager,
 			account,
 			auth,
-		)) ?? account;
+		);
+		// If commit succeeded, use the stored access token from the committed
+		// account — this also handles the dedup case where two concurrent callers
+		// share one commit and both end up with the same committed token.
+		// If commit returned null (account missing from storage after persist),
+		// fall back to the original account object but always use refreshResult.access:
+		// the original account may carry an expired token, and using that would
+		// cause a downstream 401 and incorrectly trigger invalidation-cooldown logic.
+		const resolvedAccount = updatedAccount ?? account;
+		const accessToken =
+			updatedAccount !== null
+				? (updatedAccount.access ?? refreshResult.access)
+				: refreshResult.access;
 		return {
 			ok: true,
-			accessToken: updatedAccount.access ?? refreshResult.access,
-			account: updatedAccount,
+			accessToken,
+			account: resolvedAccount,
 		};
 	} catch {
 		accountManager.recordFailure(account, family, model);
diff --git a/lib/storage/flagged-storage.ts b/lib/storage/flagged-storage.ts
@@ -102,6 +102,14 @@ export function normalizeFlaggedStorage(
 					: undefined,
 			email:
 				typeof rawAccount.email === "string" ? rawAccount.email : undefined,
+			accessToken:
+				typeof rawAccount.accessToken === "string"
+					? rawAccount.accessToken
+					: undefined,
+			expiresAt:
+				typeof rawAccount.expiresAt === "number"
+					? rawAccount.expiresAt
+					: undefined,
 			enabled:
 				typeof rawAccount.enabled === "boolean"
 					? rawAccount.enabled
@@ -113,6 +121,13 @@ export function normalizeFlaggedStorage(
 					? rawAccount.coolingDownUntil
 					: undefined,
 			cooldownReason,
+			workspaces: Array.isArray(rawAccount.workspaces)
+				? (rawAccount.workspaces as FlaggedAccountMetadataV1["workspaces"])
+				: undefined,
+			currentWorkspaceIndex:
+				typeof rawAccount.currentWorkspaceIndex === "number"
+					? rawAccount.currentWorkspaceIndex
+					: undefined,
 			flaggedAt,
 			flaggedReason:
 				typeof rawAccount.flaggedReason === "string"
