fix: harden runtime rotation release audit

Author: ndycode

docs/README.md

@@ -90,8 +90,8 @@ Public documentation for the `codex-multi-auth` Codex CLI multi-account OAuth ma
 | [reference/storage-paths.md](reference/storage-paths.md) | Canonical and compatibility storage paths |
 | [reference/public-api.md](reference/public-api.md) | Public API stability and semver contract |
 | [reference/error-contracts.md](reference/error-contracts.md) | CLI, JSON, and helper error semantics |
-| [releases/v2.1.7.md](releases/v2.1.7.md) | Current stable release notes |
-| [releases/v2.1.6.md](releases/v2.1.6.md) | Prior stable release notes |
+| [releases/v2.1.7.md](releases/v2.1.7.md) | Earlier stable release notes |
+| [releases/v2.1.6.md](releases/v2.1.6.md) | Earlier stable release notes |
 | [releases/v2.1.5.md](releases/v2.1.5.md) | Earlier stable release notes |
 | [releases/v2.1.4.md](releases/v2.1.4.md) | Earlier stable release notes |
 | [releases/v2.1.3.md](releases/v2.1.3.md) | Earlier stable release notes |

lib/codex-manager.ts

@@ -3616,6 +3616,7 @@ export async function runCodexMultiAuthCli(rawArgs: string[]): Promise<number> {
 			normalizeFailureDetail,
 			loadRuntimeObservabilitySnapshot:
 				loadPersistedRuntimeObservabilitySnapshot,
+			loadQuotaCache,
 		});
 	}
 	if (command === "usage") {

lib/codex-manager/commands/report.ts

@@ -34,6 +34,7 @@ import {
 	type StorageHealthSummary,
 } from "../../storage.js";
 import type { RuntimeObservabilitySnapshot } from "../../runtime/runtime-observability.js";
+import type { QuotaCacheData } from "../../quota-cache.js";
 import type { TokenFailure, TokenResult } from "../../types.js";
 import { sleep } from "../../utils.js";
 
@@ -108,6 +109,7 @@ export interface ReportCommandDeps {
 	getCwd?: () => string;
 	writeFile?: (path: string, contents: string) => Promise<void>;
 	loadRuntimeObservabilitySnapshot?: () => Promise<RuntimeObservabilitySnapshot | null>;
+	loadQuotaCache?: () => Promise<QuotaCacheData | null>;
 }
 
 function isRetryableWriteError(error: unknown): boolean {
@@ -315,6 +317,7 @@ export async function runReportCommand(
 	const refreshFailures = new Map<number, TokenFailure>();
 	const liveQuotaByIndex = new Map<number, CodexQuotaSnapshot>();
 	const probeErrors: string[] = [];
+	const quotaCache = (await deps.loadQuotaCache?.().catch(() => null)) ?? null;
 	let runtimeSnapshot: RuntimeObservabilitySnapshot | null | undefined;
 	let runtimeSnapshotLoadError: string | null = null;
 	try {
@@ -462,6 +465,8 @@ export async function runReportCommand(
 					now,
 					refreshFailure: refreshFailures.get(index),
 					liveQuota: liveQuotaByIndex.get(index),
+					quotaCache,
+					allAccounts: storage.accounts,
 					runtimeOverlay: runtimeSnapshot,
 				})),
 			)

lib/codex-manager/commands/rotation.ts

@@ -128,8 +128,6 @@ async function runResetRuntime(
 		return 1;
 	}
 
-	AccountManager.resetVolatileRuntimeState();
-	recordRuntimeReset("rotation-reset-runtime");
 	let unbind: AppBindResult | null = null;
 	let bind: AppBindResult | null = null;
 	let appBindRestarted = false;
@@ -145,7 +143,7 @@ async function runResetRuntime(
 					JSON.stringify({
 						ok: false,
 						command: "rotation reset-runtime",
-						resetVolatileRuntimeState: true,
+						resetVolatileRuntimeState: false,
 						appBindRestarted,
 						error: message,
 					}),
@@ -156,6 +154,8 @@ async function runResetRuntime(
 			return 1;
 		}
 	}
+	AccountManager.resetVolatileRuntimeState();
+	recordRuntimeReset("rotation-reset-runtime");
 	const payload = {
 		ok: true,
 		command: "rotation reset-runtime",

lib/codex-manager/repair-commands.ts

@@ -1926,12 +1926,15 @@ export async function runDoctor(
 		const runtimeSnapshot =
 			(await loadPersistedRuntimeObservabilitySnapshot().catch(() => null)) ??
 			null;
+		const quotaCache = (await loadQuotaCache().catch(() => null)) ?? null;
 		const forecastResults = evaluateForecastAccounts(
 			storageForChecks.accounts.map((account, index) => ({
 				index,
 				account,
 				isCurrent: index === activeIndex,
 				now,
+				quotaCache,
+				allAccounts: storageForChecks.accounts,
 			})),
 		);
 		const runtimeForecastResults = evaluateForecastAccounts(
@@ -1940,6 +1943,8 @@ export async function runDoctor(
 				account,
 				isCurrent: index === activeIndex,
 				now,
+				quotaCache,
+				allAccounts: storageForChecks.accounts,
 				runtimeOverlay: runtimeSnapshot,
 			})),
 		);

lib/runtime-rotation-proxy.ts

@@ -1371,8 +1371,7 @@ export async function startRuntimeRotationProxy(
 								reason === "rate-limited" ||
 								reason.startsWith("cooling-down") ||
 								reason === "policy-blocked",
-						) &&
-						accountManager.getMinWaitTimeForFamily(context.family, context.model) === 0
+						)
 					) {
 						reloadedAfterNoAccount = true;
 						const reloadedManager = await recoverStaleRuntimeState();
@@ -1850,9 +1849,7 @@ export async function startRuntimeRotationProxy(
 		baseUrl: `http://${host}:${resolvedPort}`,
 		close: async () => {
 			await closeServer(server, sockets);
-			await Promise.all(
-				[...knownAccountManagers].map((manager) => manager.flushPendingSave()),
-			);
+			await activeAccountManager.flushPendingSave();
 		},
 		getStatus: () => ({ ...status }),
 	};

package-lock.json

@@ -122,7 +122,15 @@
 		"dist/",
 		"assets/",
 		"config/",
-		"scripts/",
+		"scripts/codex.js",
+		"scripts/codex-app-launcher.js",
+		"scripts/codex-app-router.js",
+		"scripts/codex-bin-resolver.js",
+		"scripts/codex-multi-auth.js",
+		"scripts/codex-routing.js",
+		"scripts/install-codex-auth-utils.js",
+		"scripts/postinstall.js",
+		"scripts/preuninstall.js",
 		"vendor/codex-ai-plugin/",
 		"vendor/codex-ai-sdk/",
 		"README.md",
@@ -165,8 +173,8 @@
 		"@codex-ai/plugin": "file:vendor/codex-ai-plugin",
 		"@openauthjs/openauth": "^0.4.3",
 		"hono": "4.12.18",
-		"undici": "^6.24.1",
-		"zod": "^4.3.6"
+		"undici": "6.25.0",
+		"zod": "4.4.3"
 	},
 	"overrides": {
 		"hono": "4.12.18",

package.json

@@ -141,6 +141,54 @@ describe("runReportCommand", () => {
 		);
 	});
 
+	it("uses quota cache when computing non-live forecast readiness", async () => {
+		const deps = createDeps({
+			loadAccounts: vi.fn(async () =>
+				createStorage([
+					{
+						email: "quota@example.com",
+						refreshToken: "refresh-token-1",
+						accessToken: "access-token-1",
+						expiresAt: 10_000,
+						addedAt: 1,
+						lastUsed: 1,
+						accountId: "quota-account",
+						enabled: true,
+					},
+				]),
+			),
+			loadQuotaCache: vi.fn(async () => ({
+				byAccountId: {
+					"quota-account": {
+						updatedAt: 900,
+						status: 200,
+						model: "gpt-5.3-codex",
+						primary: { usedPercent: 100, resetAtMs: 61_000 },
+						secondary: {},
+					},
+				},
+				byEmail: {},
+			})),
+		});
+
+		const result = await runReportCommand(["--json"], deps);
+
+		expect(result).toBe(0);
+		expect(deps.loadQuotaCache).toHaveBeenCalledTimes(1);
+		const payload = JSON.parse(
+			String(
+				(deps.logInfo as ReturnType<typeof vi.fn>).mock.calls.at(-1)?.[0] ??
+					"{}",
+			),
+		) as {
+			forecast: { accounts: Array<{ availability: string; reasons: string[] }> };
+		};
+		expect(payload.forecast.accounts[0]?.availability).toBe("delayed");
+		expect(payload.forecast.accounts[0]?.reasons).toContain(
+			"quota cache exhausted",
+		);
+	});
+
 	it("includes runtime observability fields in json output when snapshot is available", async () => {
 		const deps = createDeps({
 			loadRuntimeObservabilitySnapshot: vi.fn(async () => ({

test/codex-manager-report-command.test.ts

@@ -235,7 +235,7 @@ describe("rotation reset-runtime", () => {
 		}
 	});
 
-	it("returns failure json when app bind restart throws after runtime reset", async () => {
+	it("returns failure json without clearing runtime diagnostics when app bind restart throws", async () => {
 		const { deps, infos, errors, bindCodexAppMock, unbindCodexAppMock } =
 			createDeps();
 		const resetSpy = vi.spyOn(AccountManager, "resetVolatileRuntimeState");
@@ -245,14 +245,14 @@ describe("rotation reset-runtime", () => {
 			const exitCode = await runRotationCommand(["reset-runtime", "--json"], deps);
 
 			expect(exitCode).toBe(1);
-			expect(resetSpy).toHaveBeenCalledTimes(1);
+			expect(resetSpy).not.toHaveBeenCalled();
 			expect(unbindCodexAppMock).toHaveBeenCalledTimes(1);
 			expect(bindCodexAppMock).not.toHaveBeenCalled();
 			expect(errors).toEqual([]);
 			expect(JSON.parse(infos.at(-1) ?? "{}")).toMatchObject({
 				ok: false,
 				command: "rotation reset-runtime",
-				resetVolatileRuntimeState: true,
+				resetVolatileRuntimeState: false,
 				appBindRestarted: false,
 				error: "unbind busy",
 			});