fix(release): repair local governance command routing

ndycode · ndycode · commit bb7a8aac7da6 · 2026-04-29T23:39:17.000+08:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,19 @@ This repository's current stable release line is `2.x`.
 Current stable release notes live in `docs/releases/`.
 This top-level changelog preserves the foundational `0.x` milestones and points older iteration history to `docs/releases/legacy-pre-0.1-history.md`.
 
+## [2.1.1] - 2026-04-29
+
+Patch release for the local governance command router and bridge token JSON
+output. See [docs/releases/v2.1.1.md](docs/releases/v2.1.1.md) for full
+details.
+
+### Fixed
+
+- route all `codex auth` local governance and bridge subcommands through the
+  multi-auth wrapper instead of falling through to the official Codex CLI
+- return valid JSON for `codex auth bridge token list --json` when no local
+  bridge tokens are configured
+
 ## [2.1.0] - 2026-04-29
 
 Stable release for local usage governance and the local bridge. See [docs/releases/v2.1.0.md](docs/releases/v2.1.0.md) for full details.
diff --git a/README.md b/README.md
@@ -359,9 +359,9 @@ codex auth doctor --json
 
 ## Release Notes
 
-- Current stable: [docs/releases/v2.1.0.md](docs/releases/v2.1.0.md)
-- Previous stable: [docs/releases/v2.0.2.md](docs/releases/v2.0.2.md)
-- Earlier stable: [docs/releases/v2.0.1.md](docs/releases/v2.0.1.md)
+- Current stable: [docs/releases/v2.1.1.md](docs/releases/v2.1.1.md)
+- Previous stable: [docs/releases/v2.1.0.md](docs/releases/v2.1.0.md)
+- Earlier stable: [docs/releases/v2.0.2.md](docs/releases/v2.0.2.md)
 - Earlier stable: [docs/releases/v1.3.2.md](docs/releases/v1.3.2.md)
 - Stable archive: [docs/releases/v1.3.1.md](docs/releases/v1.3.1.md)
 - Full release archive: [docs/README.md#release-history](docs/README.md#release-history)
diff --git a/docs/README.md b/docs/README.md
@@ -32,8 +32,9 @@ Public documentation for `codex-multi-auth`.
 
 | Document | Focus |
 | --- | --- |
-| [releases/v2.1.0.md](releases/v2.1.0.md) | Current stable release notes |
-| [releases/v2.0.2.md](releases/v2.0.2.md) | Prior stable release notes |
+| [releases/v2.1.1.md](releases/v2.1.1.md) | Current stable release notes |
+| [releases/v2.1.0.md](releases/v2.1.0.md) | Prior stable release notes |
+| [releases/v2.0.2.md](releases/v2.0.2.md) | Earlier stable release notes |
 | [releases/v2.0.1.md](releases/v2.0.1.md) | Earlier stable release notes |
 | [releases/v2.0.0.md](releases/v2.0.0.md) | Earlier stable release notes |
 | [releases/v1.3.2.md](releases/v1.3.2.md) | Stable archive |
@@ -81,8 +82,9 @@ Public documentation for `codex-multi-auth`.
 | [reference/storage-paths.md](reference/storage-paths.md) | Canonical and compatibility storage paths |
 | [reference/public-api.md](reference/public-api.md) | Public API stability and semver contract |
 | [reference/error-contracts.md](reference/error-contracts.md) | CLI, JSON, and helper error semantics |
-| [releases/v2.1.0.md](releases/v2.1.0.md) | Current stable release notes |
-| [releases/v2.0.2.md](releases/v2.0.2.md) | Prior stable release notes |
+| [releases/v2.1.1.md](releases/v2.1.1.md) | Current stable release notes |
+| [releases/v2.1.0.md](releases/v2.1.0.md) | Prior stable release notes |
+| [releases/v2.0.2.md](releases/v2.0.2.md) | Earlier stable release notes |
 | [releases/v2.0.1.md](releases/v2.0.1.md) | Earlier stable release notes |
 | [releases/v0.1.0-beta.0.md](releases/v0.1.0-beta.0.md) | Archived prerelease reference |
 | [Release history](#release-history) | Stable, previous, and archived release notes |
diff --git a/docs/releases/v2.1.1.md b/docs/releases/v2.1.1.md
@@ -0,0 +1,38 @@
+# Release v2.1.1
+
+Release line: `stable`
+
+This patch release fixes two command-surface regressions found during local
+installed-package verification of `v2.1.0`.
+
+## Scope
+
+- Package version prepared for publish: `2.1.1`
+- Previous stable release: `v2.1.0`
+- Semver rationale: patch fixes for wrapper command routing and JSON output.
+
+## Fixed
+
+- `codex auth usage`, `codex auth account`, `codex auth budget`,
+  `codex auth bridge`, `codex auth integrations`, `codex auth models`, and
+  `codex auth monitor` now route through the local multi-auth command handler
+  instead of falling through to the official Codex CLI.
+- `codex auth bridge token list --json` now returns valid JSON in the empty
+  token-store state.
+- Bridge token JSON output omits token hashes and only returns plaintext tokens
+  from create or rotate actions.
+
+## Validation
+
+- `npm test -- test/codex-manager-bridge-command.test.ts test/codex-routing.test.ts`
+- `npm test -- test/local-bridge.test.ts test/local-client-tokens.test.ts test/integration-generators.test.ts test/codex-manager-integrations-command.test.ts test/codex-manager-monitor-command.test.ts test/codex-manager-usage-command.test.ts test/model-capability-matrix.test.ts test/account-policy.test.ts test/routing-profiles.test.ts`
+- `npm run lint`
+- `npm run typecheck`
+- `npm run build`
+- installed local CLI command matrix for usage, models, monitor, config,
+  budget, account policy, integrations, bridge token list, features, and verify
+  paths
+
+## Release Notes
+
+- Previous release notes: `docs/releases/v2.1.0.md`
diff --git a/lib/codex-manager/commands/bridge.ts b/lib/codex-manager/commands/bridge.ts
@@ -1,5 +1,6 @@
 import {
 	addLocalClientToken,
+	type LocalClientTokenRecord,
 	loadLocalClientTokenStore,
 	revokeLocalClientToken,
 	rotateLocalClientToken,
@@ -14,14 +15,45 @@ function printBridgeUsage(logInfo: (message: string) => void): void {
 	logInfo(
 		[
 			"Usage:",
-			"  codex auth bridge token create [--label <label>]",
-			"  codex auth bridge token list",
-			"  codex auth bridge token rotate <id>",
-			"  codex auth bridge token revoke <id>",
+			"  codex auth bridge token create [--label <label>] [--json]",
+			"  codex auth bridge token list [--json]",
+			"  codex auth bridge token rotate <id> [--json]",
+			"  codex auth bridge token revoke <id> [--json]",
 		].join("\n"),
 	);
 }
 
+function printJson(logInfo: (message: string) => void, value: unknown): void {
+	logInfo(JSON.stringify(value, null, 2));
+}
+
+function publicTokenRecord(token: LocalClientTokenRecord): {
+	id: string;
+	label: string;
+	prefix: string;
+	createdAt: number;
+	lastUsedAt: number | null;
+	revokedAt: number | null;
+	state: "active" | "revoked";
+} {
+	return {
+		id: token.id,
+		label: token.label,
+		prefix: token.prefix,
+		createdAt: token.createdAt,
+		lastUsedAt: token.lastUsedAt,
+		revokedAt: token.revokedAt,
+		state: token.revokedAt === null ? "active" : "revoked",
+	};
+}
+
+function consumeJsonFlag(args: string[]): { json: boolean; rest: string[] } {
+	return {
+		json: args.includes("--json") || args.includes("-j"),
+		rest: args.filter((arg) => arg !== "--json" && arg !== "-j"),
+	};
+}
+
 function parseLabel(args: string[]): { ok: true; label?: string } | { ok: false; message: string } {
 	let label: string | undefined;
 	for (let i = 0; i < args.length; i += 1) {
@@ -58,19 +90,40 @@ export async function runBridgeCommand(
 		return 1;
 	}
 	if (action === "create") {
-		const parsed = parseLabel(rest);
+		const { json, rest: actionArgs } = consumeJsonFlag(rest);
+		const parsed = parseLabel(actionArgs);
 		if (!parsed.ok) {
 			logError(parsed.message);
 			return 1;
 		}
 		const created = await addLocalClientToken({ label: parsed.label });
+		if (json) {
+			printJson(logInfo, {
+				command: "bridge token create",
+				token: publicTokenRecord(created.record),
+				plainToken: created.plainToken,
+			});
+			return 0;
+		}
 		logInfo(`Token id: ${created.record.id}`);
 		logInfo(`Token prefix: ${created.record.prefix}`);
 		logInfo(`Token: ${created.plainToken}`);
 		return 0;
 	}
 	if (action === "list") {
+		const { json, rest: actionArgs } = consumeJsonFlag(rest);
+		if (actionArgs.length > 0) {
+			logError(`Unknown bridge token list option: ${actionArgs[0] ?? ""}`);
+			return 1;
+		}
 		const store = await loadLocalClientTokenStore();
+		if (json) {
+			printJson(logInfo, {
+				command: "bridge token list",
+				tokens: store.tokens.map(publicTokenRecord),
+			});
+			return 0;
+		}
 		if (store.tokens.length === 0) {
 			logInfo("No local bridge tokens configured.");
 			return 0;
@@ -82,32 +135,58 @@ export async function runBridgeCommand(
 		return 0;
 	}
 	if (action === "rotate") {
-		const id = rest[0];
+		const { json, rest: actionArgs } = consumeJsonFlag(rest);
+		const id = actionArgs[0];
 		if (!id) {
 			logError("Missing token id");
 			return 1;
 		}
+		if (actionArgs.length > 1) {
+			logError(`Unknown bridge token rotate option: ${actionArgs[1] ?? ""}`);
+			return 1;
+		}
 		const rotated = await rotateLocalClientToken({ id });
 		if (!rotated) {
 			logError("Token not found or already revoked.");
 			return 1;
 		}
+		if (json) {
+			printJson(logInfo, {
+				command: "bridge token rotate",
+				token: publicTokenRecord(rotated.record),
+				plainToken: rotated.plainToken,
+			});
+			return 0;
+		}
 		logInfo(`Token id: ${rotated.record.id}`);
 		logInfo(`Token prefix: ${rotated.record.prefix}`);
 		logInfo(`Token: ${rotated.plainToken}`);
 		return 0;
 	}
 	if (action === "revoke") {
-		const id = rest[0];
+		const { json, rest: actionArgs } = consumeJsonFlag(rest);
+		const id = actionArgs[0];
 		if (!id) {
 			logError("Missing token id");
 			return 1;
 		}
+		if (actionArgs.length > 1) {
+			logError(`Unknown bridge token revoke option: ${actionArgs[1] ?? ""}`);
+			return 1;
+		}
 		const revoked = await revokeLocalClientToken(id);
 		if (!revoked) {
 			logError("Token not found or already revoked.");
 			return 1;
 		}
+		if (json) {
+			printJson(logInfo, {
+				command: "bridge token revoke",
+				id,
+				revoked: true,
+			});
+			return 0;
+		}
 		logInfo("Token revoked.");
 		return 0;
 	}
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "codex-multi-auth",
-	"version": "2.1.0",
+	"version": "2.1.1",
 	"description": "Multi-account OAuth manager and codex auth wrapper for the official @openai/codex CLI, with switching, health checks, and recovery tools",
 	"main": "./dist/index.js",
 	"types": "./dist/index.d.ts",
diff --git a/scripts/codex-routing.js b/scripts/codex-routing.js
@@ -6,12 +6,19 @@ const AUTH_SUBCOMMANDS = new Set([
 	"best",
 	"check",
 	"features",
+	"usage",
 	"verify-flagged",
 	"verify",
 	"forecast",
 	"report",
 	"fix",
 	"doctor",
+	"account",
+	"budget",
+	"bridge",
+	"integrations",
+	"models",
+	"monitor",
 	"rotation",
 	"why-selected",
 	"config",
diff --git a/test/codex-manager-bridge-command.test.ts b/test/codex-manager-bridge-command.test.ts
@@ -47,4 +47,51 @@ describe("bridge command", () => {
 		expect(listOutput).toContain("OpenCode active");
 		expect(listOutput).not.toContain(token);
 	});
+
+	it("prints valid json for an empty token list", async () => {
+		const logInfo = vi.fn();
+		expect(
+			await runBridgeCommand(["token", "list", "--json"], {
+				logInfo,
+				logError: vi.fn(),
+			}),
+		).toBe(0);
+
+		const output = logInfo.mock.calls.map((call) => String(call[0])).join("\n");
+		expect(JSON.parse(output)).toEqual({
+			command: "bridge token list",
+			tokens: [],
+		});
+	});
+
+	it("omits token hashes from bridge token json output", async () => {
+		const logInfo = vi.fn();
+		expect(
+			await runBridgeCommand(["token", "create", "--label", "Env", "--json"], {
+				logInfo,
+				logError: vi.fn(),
+			}),
+		).toBe(0);
+
+		const created = JSON.parse(String(logInfo.mock.calls[0]?.[0])) as {
+			plainToken?: string;
+			token?: Record<string, unknown>;
+		};
+		expect(created.plainToken).toMatch(/^cma_local_/);
+		expect(created.token?.tokenHash).toBeUndefined();
+
+		logInfo.mockClear();
+		expect(
+			await runBridgeCommand(["token", "list", "--json"], {
+				logInfo,
+				logError: vi.fn(),
+			}),
+		).toBe(0);
+		const listed = JSON.parse(String(logInfo.mock.calls[0]?.[0])) as {
+			tokens?: Array<Record<string, unknown>>;
+		};
+		expect(listed.tokens).toHaveLength(1);
+		expect(listed.tokens?.[0]?.tokenHash).toBeUndefined();
+		expect(JSON.stringify(listed)).not.toContain(created.plainToken);
+	});
 });
diff --git a/test/codex-routing.test.ts b/test/codex-routing.test.ts
@@ -29,10 +29,17 @@ describe("codex routing helpers", () => {
 			"switch",
 			"check",
 			"features",
+			"usage",
 			"verify-flagged",
 			"forecast",
 			"best",
 			"report",
+			"account",
+			"budget",
+			"bridge",
+			"integrations",
+			"models",
+			"monitor",
 			"rotation",
 			"why-selected",
 			"verify",

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "codex-multi-auth",`
`3`		`- "version": "2.1.0",`
	`3`	`+ "version": "2.1.1",`
`4`	`4`	`"description": "Multi-account OAuth manager and codex auth wrapper for the official @openai/codex CLI, with switching, health checks, and recovery tools",`
`5`	`5`	`"main": "./dist/index.js",`
`6`	`6`	`"types": "./dist/index.d.ts",`