feat: harden multi-auth update resilience and add tui version

- harden Windows shim recovery across codex.bat/codex.cmd/codex.ps1 and profile guard paths
- improve synthetic-account backup promotion and codex auth token-shape persistence
- add dashboard version label and release notes through v0.1.7
- validated with lint, typecheck, full test suite, and build

Co-authored-by: Codex <noreply@openai.com>

Author: ndycode

docs/releases/v0.1.6.md

@@ -0,0 +1,58 @@
+# Release v0.1.6
+
+Release date: 2026-03-03
+Channel: `latest`
+
+## Highlights
+
+- Fixed reset-on-update behavior by improving multi-auth runtime path selection when account storage is available only through recovery artifacts.
+- Added backup discovery recovery so non-standard backup files can restore `openai-codex-accounts.json` automatically.
+- Aligned Codex CLI sync default paths with `CODEX_HOME` to prevent auth writes from going to a different profile directory.
+- Hardened switch-sync reporting so account switches fail fast when required Codex auth persistence does not complete.
+
+## Install
+
+```bash
+npm i -g @openai/codex
+npm i -g codex-multi-auth
+```
+
+## Core Operations
+
+```bash
+codex auth login
+codex auth list
+codex auth switch 2
+codex auth status
+codex auth check
+codex auth forecast --live
+```
+
+## Validation Snapshot
+
+Release gate commands:
+
+- `npm run lint`
+- `npm run typecheck`
+- `npm run build`
+- `npm test -- test/runtime-paths.test.ts test/storage-recovery-paths.test.ts test/codex-cli-state.test.ts`
+
+## Merged PRs
+
+- Follow-up patch release for storage durability and Codex sync path alignment.
+
+## Commits
+
+- Included in release tag `v0.1.6`.
+
+## Notes
+
+- Multi-auth now treats backup/WAL signals as valid storage indicators during runtime directory selection.
+- Codex auth sync now targets the same `CODEX_HOME` root used by the active Codex installation.
+- Canonical runtime paths remain under `~/.codex/multi-auth` unless overridden by environment.
+
+## Related
+
+- [../getting-started.md](../getting-started.md)
+- [../upgrade.md](../upgrade.md)
+- [../reference/commands.md](../reference/commands.md)

docs/releases/v0.1.7.md

@@ -0,0 +1,65 @@
+# Release v0.1.7
+
+Release date: 2026-03-03
+Channel: `latest`
+
+## Highlights
+
+- Hardened Windows global command routing so multi-auth survives Codex npm shim takeovers across `codex.bat`, `codex.cmd`, and `codex.ps1`.
+- Added stock-shim signature replacement and invocation-path-first shim resolution to avoid false PATH matches and stale launcher routing.
+- Added PowerShell profile guard installation so new PowerShell sessions keep resolving `codex` to the multi-auth wrapper.
+- Strengthened account recovery by auto-promoting discovered real backups when primary storage is synthetic fixture data (including missing `accountId` fixture rows).
+- Hardened Codex auth sync writes by enriching active account payloads with complete token shape (`access_token`, `refresh_token`, `id_token`) to prevent malformed auth fallbacks.
+- Added visible dashboard version label in TUI header (`Accounts Dashboard (vX.Y.Z)`).
+
+## Install
+
+```bash
+npm i -g @openai/codex
+npm i -g codex-multi-auth
+```
+
+## Core Operations
+
+```bash
+codex auth login
+codex auth list
+codex auth switch 2
+codex auth status
+codex auth check
+codex auth forecast --live
+```
+
+## Validation Snapshot
+
+Release gate commands:
+
+- `npm run lint`
+- `npm run typecheck`
+- `npm run build`
+- `npm test`
+
+Broad validation result:
+
+- `100/100` test files passed
+- `2328/2328` tests passed
+
+## Merged PRs
+
+- Release hardening rollup for Windows shim resilience, storage recovery promotion, and TUI version visibility.
+
+## Commits
+
+- Included in release tag `v0.1.7`.
+
+## Notes
+
+- Existing account storage is auto-recovered from real backup artifacts when synthetic fixture resets are detected.
+- Windows command shims now self-heal from known stock Codex shim replacements during normal command execution.
+- TUI now shows the active package version directly in the dashboard title for fast runtime verification.
+
+## Related
+
+- [../getting-started.md](../getting-started.md)
+- [../upgrade.md](../upgrade.md)
+- [../reference/commands.md](../reference/commands.md)

lib/codex-cli/state.ts

@@ -1,9 +1,9 @@
 import { existsSync, promises as fs } from "node:fs";
-import { homedir } from "node:os";
 import { join } from "node:path";
 import { decodeJWT } from "../auth/auth.js";
 import { extractAccountEmail, extractAccountId } from "../auth/token-utils.js";
 import { createLogger } from "../logger.js";
+import { getCodexHomeDir } from "../runtime-paths.js";
 import { sleep } from "../utils.js";
 import {
 	incrementCodexCliMetric,
@@ -210,7 +210,7 @@ export function isCodexCliSyncEnabled(): boolean {
 export function getCodexCliAccountsPath(): string {
 	const override = (process.env.CODEX_CLI_ACCOUNTS_PATH ?? "").trim();
 	if (override.length > 0) return override;
-	return join(homedir(), ".codex", "accounts.json");
+	return join(getCodexHomeDir(), "accounts.json");
 }
 
 /**
@@ -226,7 +226,7 @@ export function getCodexCliAccountsPath(): string {
 export function getCodexCliAuthPath(): string {
 	const override = (process.env.CODEX_CLI_AUTH_PATH ?? "").trim();
 	if (override.length > 0) return override;
-	return join(homedir(), ".codex", "auth.json");
+	return join(getCodexHomeDir(), "auth.json");
 }
 
 /**
@@ -240,7 +240,7 @@ export function getCodexCliAuthPath(): string {
 export function getCodexCliConfigPath(): string {
 	const override = (process.env.CODEX_CLI_CONFIG_PATH ?? "").trim();
 	if (override.length > 0) return override;
-	return join(homedir(), ".codex", "config.toml");
+	return join(getCodexHomeDir(), "config.toml");
 }
 
 /**

lib/codex-cli/writer.ts

@@ -108,6 +108,73 @@ function extractSelectionFromAccountRecord(record: Record<string, unknown>): Act
 	};
 }
 
+function enrichActiveAccountRecordWithTokens(
+	record: Record<string, unknown>,
+	selection: ActiveSelection,
+): Record<string, unknown> {
+	const auth = isRecord(record.auth) ? { ...record.auth } : {};
+	const tokens = isRecord(auth.tokens) ? { ...auth.tokens } : {};
+
+	const currentAccess =
+		extractTokenFromRecord(record, ["accessToken", "access_token"]) ??
+		extractTokenFromRecord(tokens, ["access_token", "accessToken"]);
+	const currentRefresh =
+		extractTokenFromRecord(record, ["refreshToken", "refresh_token"]) ??
+		extractTokenFromRecord(tokens, ["refresh_token", "refreshToken"]);
+	const currentIdToken =
+		extractTokenFromRecord(record, ["idToken", "id_token"]) ??
+		extractTokenFromRecord(tokens, ["id_token", "idToken"]);
+
+	const selectedAccess = readTrimmedString(selection.accessToken);
+	const selectedRefresh = readTrimmedString(selection.refreshToken);
+	const selectedIdToken = readTrimmedString(selection.idToken);
+	const accountId = selection.accountId?.trim() || readAccountId(record);
+	const email = normalizeEmail(selection.email) ?? normalizeEmail(record.email);
+
+	const accessToken = selectedAccess ?? currentAccess;
+	const refreshToken = selectedRefresh ?? currentRefresh;
+	if (!accessToken || !refreshToken) {
+		return record;
+	}
+
+	const idToken = selectedIdToken ?? currentIdToken ?? accessToken;
+	const next = { ...record } as Record<string, unknown>;
+
+	next.accessToken = accessToken;
+	next.access_token = accessToken;
+	next.refreshToken = refreshToken;
+	next.refresh_token = refreshToken;
+	if (idToken) {
+		next.idToken = idToken;
+		next.id_token = idToken;
+	}
+	if (accountId) {
+		next.accountId = accountId;
+		next.account_id = accountId;
+	}
+	if (email) {
+		next.email = email;
+	}
+
+	const nextTokens = { ...tokens } as Record<string, unknown>;
+	nextTokens.access_token = accessToken;
+	nextTokens.accessToken = accessToken;
+	nextTokens.refresh_token = refreshToken;
+	nextTokens.refreshToken = refreshToken;
+	if (idToken) {
+		nextTokens.id_token = idToken;
+		nextTokens.idToken = idToken;
+	}
+	if (accountId) {
+		nextTokens.account_id = accountId;
+		nextTokens.accountId = accountId;
+	}
+	auth.tokens = nextTokens;
+	next.auth = auth;
+
+	return next;
+}
+
 function resolveMatchIndex(
 	accounts: unknown[],
 	selection: ActiveSelection,
@@ -353,6 +420,7 @@ export async function setCodexCliActiveSelection(
 			selection.accessToken.trim().length > 0 &&
 			typeof selection.refreshToken === "string" &&
 			selection.refreshToken.trim().length > 0;
+		const requireAuthWrite = hasAuthPath || selectionHasTokens;
 
 		if (!hasAccountsPath && !hasAuthPath && !selectionHasTokens) {
 			incrementCodexCliMetric("writeFailures");
@@ -435,7 +503,10 @@ export async function setCodexCliActiveSelection(
 
 							next.accounts = parsed.accounts.map((entry, index) => {
 								if (!isRecord(entry)) return entry;
-								const updated = { ...entry };
+								let updated = { ...entry } as Record<string, unknown>;
+								if (index === matchIndex) {
+									updated = enrichActiveAccountRecordWithTokens(updated, resolvedSelection);
+								}
 								updated.active = index === matchIndex;
 								updated.isActive = index === matchIndex;
 								updated.is_active = index === matchIndex;
@@ -463,10 +534,6 @@ export async function setCodexCliActiveSelection(
 			if (hasAuthPath || wroteAccounts || selectionHasTokens) {
 				wroteAuth = await writeCodexAuthState(authPath, resolvedSelection);
 				if (!wroteAuth) {
-					if (!wroteAccounts) {
-						incrementCodexCliMetric("writeFailures");
-						return false;
-					}
 					log.warn("Codex auth state update skipped after accounts selection update", {
 						operation: "write-active-selection",
 						outcome: "accounts-updated-auth-failed",
@@ -476,6 +543,10 @@ export async function setCodexCliActiveSelection(
 							email: resolvedSelection.email,
 						}),
 					});
+					if (requireAuthWrite || !wroteAccounts) {
+						incrementCodexCliMetric("writeFailures");
+						return false;
+					}
 				} else {
 					log.debug("Persisted Codex auth active selection", {
 						operation: "write-active-selection",