fix: gracefully handle deactivated_workspace by removing only the dead workspace entry

- Add isDeactivatedWorkspaceError() detector in fetch-helpers.ts that
  matches HTTP 402 + detail.code/error.code === 'deactivated_workspace'
- On deactivated_workspace response: flag the specific workspace entry
  (keyed by organizationId > accountId > refreshToken), remove it from
  rotation and failover to the next healthy workspace/account
- Preserve sibling workspaces sharing the same refreshToken — only the
  dead workspace-entry is removed, not the entire user
- Extend codex-health deep probe to flag deactivated workspaces using
  the same identity key (not refreshToken) so multi-workspace users
  aren't penalized for a single bad workspace
- Add test: handleErrorResponse normalizes 402 deactivated_workspace
- Add test: plugin removes only the dead workspace and succeeds on the
  live sibling in the same request

Author: den

index.ts

@@ -128,6 +128,7 @@ import {
 	extractRequestUrl,
         handleErrorResponse,
         handleSuccessResponse,
+	isDeactivatedWorkspaceError,
 	getUnsupportedCodexModelInfo,
 	resolveUnsupportedCodexFallbackModel,
         refreshAndUpdateToken,
@@ -183,6 +184,27 @@ import {
 	getRecoveryToastContent,
 } from "./lib/recovery.js";
 
+function getWorkspaceIdentityKey(account: {
+	organizationId?: string;
+	accountId?: string;
+	refreshToken: string;
+}): string {
+	if (account.organizationId) return `organizationId:${account.organizationId}`;
+	if (account.accountId) return `accountId:${account.accountId}`;
+	return `refreshToken:${account.refreshToken}`;
+}
+
+function matchesWorkspaceIdentity(
+	account: {
+		organizationId?: string;
+		accountId?: string;
+		refreshToken: string;
+	},
+	identityKey: string,
+): boolean {
+	return getWorkspaceIdentityKey(account) === identityKey;
+}
+
 /**
  * OpenAI Codex OAuth authentication plugin for opencode
  *
@@ -2358,6 +2380,62 @@ while (attempted.size < Math.max(1, accountCount)) {
 											threadId: threadIdCandidate,
 										});
 
+			const workspaceDeactivated = isDeactivatedWorkspaceError(errorBody, response.status);
+			if (workspaceDeactivated) {
+				const identityKey = getWorkspaceIdentityKey(account);
+				const accountLabel = formatAccountLabel(account, account.index);
+				accountManager.refundToken(account, modelFamily, model);
+				accountManager.recordFailure(account, modelFamily, model);
+				account.lastSwitchReason = "rotation";
+				runtimeMetrics.failedRequests++;
+				runtimeMetrics.accountRotations++;
+				runtimeMetrics.lastError = `Deactivated workspace on ${accountLabel}`;
+				runtimeMetrics.lastErrorCategory = "workspace-deactivated";
+
+				try {
+					const flaggedStorage = await loadFlaggedAccounts();
+					const flaggedRecord: FlaggedAccountMetadataV1 = {
+						...account,
+						flaggedAt: Date.now(),
+						flaggedReason: "workspace-deactivated",
+						lastError: "deactivated_workspace",
+					};
+					const existingIndex = flaggedStorage.accounts.findIndex((flagged) =>
+						matchesWorkspaceIdentity(flagged, identityKey),
+					);
+					if (existingIndex >= 0) {
+						flaggedStorage.accounts[existingIndex] = flaggedRecord;
+					} else {
+						flaggedStorage.accounts.push(flaggedRecord);
+					}
+					await saveFlaggedAccounts(flaggedStorage);
+				} catch (flagError) {
+					logWarn(
+						`Failed to persist deactivated workspace flag for ${accountLabel}: ${flagError instanceof Error ? flagError.message : String(flagError)}`,
+					);
+				}
+
+				if (accountManager.removeAccount(account)) {
+					accountManager.saveToDiskDebounced();
+					attempted.clear();
+					accountCount = accountManager.getAccountCount();
+					await showToast(
+						`Workspace deactivated. Removed ${accountLabel} from rotation and switching accounts.`,
+						"warning",
+						{ duration: toastDurationMs },
+					);
+					break;
+				}
+
+				accountManager.markAccountCoolingDown(
+					account,
+					ACCOUNT_LIMITS.AUTH_FAILURE_COOLDOWN_MS,
+					"auth-failure",
+				);
+				accountManager.saveToDiskDebounced();
+				break;
+			}
+
 			const unsupportedModelInfo = getUnsupportedCodexModelInfo(errorBody);
 			const hasRemainingAccounts = attempted.size < Math.max(1, accountCount);
 
@@ -2964,6 +3042,9 @@ while (attempted.size < Math.max(1, accountCount)) {
 												(typeof (errorBody as { error?: { message?: unknown } })?.error?.message === "string"
 													? (errorBody as { error?: { message?: string } }).error?.message
 													: bodyText) || `HTTP ${response.status}`;
+											if (isDeactivatedWorkspaceError(errorBody, response.status)) {
+												throw new Error("deactivated_workspace");
+											}
 											throw new Error(message);
 										}
 
@@ -3115,7 +3196,7 @@ while (attempted.size < Math.max(1, accountCount)) {
 													} else {
 														flaggedStorage.accounts.push(flaggedRecord);
 													}
-													removeFromActive.add(account.refreshToken);
+													removeFromActive.add(`refreshToken:${account.refreshToken}`);
 													flaggedChanged = true;
 												}
 												continue;
@@ -3194,13 +3275,31 @@ while (attempted.size < Math.max(1, accountCount)) {
 											console.log(
 												`[${i + 1}/${total}] ${label}: ${formatCodexQuotaLine(snapshot)}`,
 											);
-										} catch (error) {
-											errors += 1;
-											const message = error instanceof Error ? error.message : String(error);
-											console.log(
-												`[${i + 1}/${total}] ${label}: ERROR (${message.slice(0, 160)})`,
-											);
-										}
+											} catch (error) {
+												errors += 1;
+												const message = error instanceof Error ? error.message : String(error);
+												if (message.includes("deactivated_workspace")) {
+													const existingIndex = flaggedStorage.accounts.findIndex((flagged) =>
+														matchesWorkspaceIdentity(flagged, getWorkspaceIdentityKey(account)),
+													);
+													const flaggedRecord: FlaggedAccountMetadataV1 = {
+														...account,
+														flaggedAt: Date.now(),
+														flaggedReason: "workspace-deactivated",
+														lastError: message,
+													};
+													if (existingIndex >= 0) {
+														flaggedStorage.accounts[existingIndex] = flaggedRecord;
+													} else {
+														flaggedStorage.accounts.push(flaggedRecord);
+													}
+													removeFromActive.add(getWorkspaceIdentityKey(account));
+													flaggedChanged = true;
+												}
+												console.log(
+													`[${i + 1}/${total}] ${label}: ERROR (${message.slice(0, 160)})`,
+												);
+											}
 									} catch (error) {
 										errors += 1;
 										const message = error instanceof Error ? error.message : String(error);
@@ -3210,7 +3309,7 @@ while (attempted.size < Math.max(1, accountCount)) {
 
 								if (removeFromActive.size > 0) {
 									workingStorage.accounts = workingStorage.accounts.filter(
-										(account) => !removeFromActive.has(account.refreshToken),
+										(account) => !removeFromActive.has(getWorkspaceIdentityKey(account)),
 									);
 									clampActiveIndices(workingStorage);
 									storageChanged = true;
@@ -3228,7 +3327,7 @@ while (attempted.size < Math.max(1, accountCount)) {
 								console.log(`Results: ${ok} ok, ${errors} error, ${disabled} disabled`);
 								if (removeFromActive.size > 0) {
 									console.log(
-										`Moved ${removeFromActive.size} account(s) to flagged pool (invalid refresh token).`,
+										`Moved ${removeFromActive.size} account(s) to flagged pool.`,
 									);
 								}
 								console.log("");

lib/request/fetch-helpers.ts

@@ -279,6 +279,35 @@ export interface ErrorDiagnostics {
 	httpStatus?: number;
 }
 
+const DEACTIVATED_WORKSPACE_CODE = "deactivated_workspace";
+
+function getStructuredErrorCode(errorBody: unknown): string | undefined {
+	if (!isRecord(errorBody)) return undefined;
+
+	const directCode = errorBody.code;
+	if (typeof directCode === "string" && directCode.trim()) return directCode.trim();
+
+	const detail = errorBody.detail;
+	if (isRecord(detail)) {
+		const detailCode = detail.code;
+		if (typeof detailCode === "string" && detailCode.trim()) return detailCode.trim();
+	}
+
+	const nestedError = errorBody.error;
+	if (isRecord(nestedError)) {
+		const nestedCode = nestedError.code ?? nestedError.type;
+		if (typeof nestedCode === "string" && nestedCode.trim()) return nestedCode.trim();
+	}
+
+	return undefined;
+}
+
+export function isDeactivatedWorkspaceError(errorBody: unknown, status?: number): boolean {
+	if (status !== undefined && status !== 402) return false;
+	const code = getStructuredErrorCode(errorBody);
+	return code === DEACTIVATED_WORKSPACE_CODE;
+}
+
 /**
  * Determines if the current auth token needs to be refreshed
  * @param auth - Current authentication state
@@ -730,6 +759,21 @@ function normalizeErrorPayload(
         status: number,
         diagnostics?: ErrorDiagnostics,
 ): ErrorPayload {
+	if (isDeactivatedWorkspaceError(errorBody, status)) {
+		const payload: ErrorPayload = {
+			error: {
+				message:
+					"The selected ChatGPT workspace is deactivated. This workspace entry should be removed from rotation or re-authorized before retrying.",
+				type: "workspace_deactivated",
+				code: DEACTIVATED_WORKSPACE_CODE,
+			},
+		};
+		if (diagnostics && Object.keys(diagnostics).length > 0) {
+			payload.error.diagnostics = diagnostics;
+		}
+		return payload;
+	}
+
         if (isUnsupportedCodexModelForChatGpt(status, bodyText)) {
                 const unsupportedModel =
 			extractUnsupportedCodexModelFromText(bodyText) ?? "requested model";

test/fetch-helpers.test.ts

@@ -9,6 +9,7 @@ import {
     handleErrorResponse,
     handleSuccessResponse,
     isEntitlementError,
+    isDeactivatedWorkspaceError,
     createEntitlementErrorResponse,
 	getUnsupportedCodexModelInfo,
 	resolveUnsupportedCodexFallbackModel,
@@ -21,9 +22,9 @@ import type { Auth } from '../lib/types.js';
 import { URL_PATHS, OPENAI_HEADERS, OPENAI_HEADER_VALUES, CODEX_BASE_URL } from '../lib/constants.js';
 
 describe('Fetch Helpers Module', () => {
-	afterEach(() => {
-		vi.restoreAllMocks();
-	});
+		afterEach(() => {
+			vi.restoreAllMocks();
+		});
 
 	describe('shouldRefreshToken', () => {
 		it('should return true for non-oauth auth', () => {
@@ -487,8 +488,21 @@ describe('Fetch Helpers Module', () => {
 		});
 	});
 
-	describe('handleErrorResponse error normalization', () => {
-		it('extracts nested error.message', async () => {
+		describe('handleErrorResponse error normalization', () => {
+			it('normalizes deactivated workspace errors with dedicated code', async () => {
+				const body = { detail: { code: 'deactivated_workspace' } };
+				const response = new Response(JSON.stringify(body), { status: 402, statusText: 'Payment Required' });
+
+				const { response: result, errorBody } = await handleErrorResponse(response);
+				const json = await result.json() as { error: { message: string; type?: string; code?: string } };
+
+				expect(isDeactivatedWorkspaceError(errorBody, 402)).toBe(true);
+				expect(json.error.code).toBe('deactivated_workspace');
+				expect(json.error.type).toBe('workspace_deactivated');
+				expect(json.error.message).toContain('workspace is deactivated');
+			});
+
+			it('extracts nested error.message', async () => {
 			const body = { error: { message: 'nested error message', type: 'test_type', code: 'test_code' } };
 			const response = new Response(JSON.stringify(body), { status: 500 });
 

test/index-retry.test.ts

@@ -24,6 +24,7 @@ vi.mock("../lib/request/fetch-helpers.js", () => ({
 	refreshAndUpdateToken: async (auth: any) => auth,
 	createCodexHeaders: () => new Headers(),
 	handleErrorResponse: async (response: Response) => ({ response }),
+	isDeactivatedWorkspaceError: () => false,
 	resolveUnsupportedCodexFallbackModel: () => undefined,
 	shouldFallbackToGpt52OnUnsupportedGpt53: () => false,
 	handleSuccessResponse: async (response: Response) => response,