fix: keep deactivated workspaces out of restore flow

Author: ndycode

index.ts

@@ -3071,6 +3071,9 @@ while (attempted.size < Math.max(1, accountCount)) {
 										lastError = new Error("Codex response did not include quota headers");
 									} catch (error) {
 										lastError = error instanceof Error ? error : new Error(String(error));
+										if (lastError.message === "deactivated_workspace") {
+											throw lastError;
+										}
 									}
 								}
 
@@ -3291,27 +3294,27 @@ while (attempted.size < Math.max(1, accountCount)) {
 											console.log(
 												`[${i + 1}/${total}] ${label}: ${formatCodexQuotaLine(snapshot)}`,
 											);
-											} catch (error) {
-												errors += 1;
-												const message = error instanceof Error ? error.message : String(error);
-												if (message.includes("deactivated_workspace")) {
-													const flaggedRecord: FlaggedAccountMetadataV1 = {
-														...account,
-														flaggedAt: Date.now(),
-														flaggedReason: "workspace-deactivated",
-														lastError: message,
-													};
-													flaggedUpdates.set(
-														getWorkspaceIdentityKey(flaggedRecord),
-														flaggedRecord,
-													);
-													removeFromActive.add(getWorkspaceIdentityKey(account));
-													flaggedChanged = true;
-												}
-												console.log(
-													`[${i + 1}/${total}] ${label}: ERROR (${message.slice(0, 160)})`,
+										} catch (error) {
+											errors += 1;
+											const message = error instanceof Error ? error.message : String(error);
+											if (message === "deactivated_workspace") {
+												const flaggedRecord: FlaggedAccountMetadataV1 = {
+													...account,
+													flaggedAt: Date.now(),
+													flaggedReason: "workspace-deactivated",
+													lastError: message,
+												};
+												flaggedUpdates.set(
+													getWorkspaceIdentityKey(flaggedRecord),
+													flaggedRecord,
 												);
+												removeFromActive.add(getWorkspaceIdentityKey(account));
+												flaggedChanged = true;
 											}
+											console.log(
+												`[${i + 1}/${total}] ${label}: ERROR (${message.slice(0, 160)})`,
+											);
+										}
 									} catch (error) {
 										errors += 1;
 										const message = error instanceof Error ? error.message : String(error);
@@ -3369,6 +3372,13 @@ while (attempted.size < Math.max(1, accountCount)) {
 									const flagged = flaggedStorage.accounts[i];
 									if (!flagged) continue;
 									const label = flagged.email ?? flagged.accountLabel ?? `Flagged ${i + 1}`;
+									if (flagged.flaggedReason === "workspace-deactivated") {
+										console.log(
+											`[${i + 1}/${flaggedStorage.accounts.length}] ${label}: STILL FLAGGED (workspace deactivated)`,
+										);
+										remaining.push(flagged);
+										continue;
+									}
 									try {
 										const cached = await lookupCodexCliTokensByEmail(flagged.email);
 										const now = Date.now();

lib/storage.ts

@@ -923,6 +923,9 @@ function normalizeFlaggedStorage(data: unknown): FlaggedAccountStorageV1 {
 
 	const normalizeFlaggedIdentityPart = (value: unknown): string | undefined =>
 		typeof value === "string" && value.trim().length > 0 ? value.trim() : undefined;
+	// Flagged storage must keep sibling workspace entries separate when they share an
+	// organization but have different accountIds, so this key is more specific than
+	// the normal account identity collapse used in active storage.
 	const getFlaggedIdentityKey = (account: {
 		organizationId?: string;
 		accountId?: string;

test/index.test.ts

@@ -186,10 +186,21 @@ vi.mock("../lib/request/rate-limit-backoff.js", () => ({
 		refreshAndUpdateToken: vi.fn(async (auth: unknown) => auth),
 		createCodexHeaders: vi.fn(() => new Headers()),
 		handleErrorResponse: vi.fn(async (response: Response) => ({ response })),
-		isDeactivatedWorkspaceError: vi.fn((errorBody: unknown, status?: number) =>
-			status === 402 &&
-			(errorBody as { error?: { code?: string } })?.error?.code === "deactivated_workspace",
-		),
+		isDeactivatedWorkspaceError: vi.fn((errorBody: unknown, status?: number) => {
+			if (status !== 402 || !errorBody || typeof errorBody !== "object") return false;
+			const body = errorBody as {
+				code?: unknown;
+				detail?: { code?: unknown } | undefined;
+				error?: { code?: unknown; type?: unknown } | undefined;
+			};
+			const code =
+				(typeof body.code === "string" && body.code) ||
+				(typeof body.detail?.code === "string" && body.detail.code) ||
+				(typeof body.error?.code === "string" && body.error.code) ||
+				(typeof body.error?.type === "string" && body.error.type) ||
+				undefined;
+			return code === "deactivated_workspace";
+		}),
 	getUnsupportedCodexModelInfo: vi.fn(() => ({ isUnsupported: false })),
 	resolveUnsupportedCodexFallbackModel: vi.fn(() => undefined),
 	shouldFallbackToGpt52OnUnsupportedGpt53: vi.fn(() => false),
@@ -3498,6 +3509,56 @@ describe("OpenAIOAuthPlugin persistAccountPool", () => {
 		});
 	});
 
+	it("keeps workspace-deactivated flagged entries out of verify-flagged restore", async () => {
+		const cliModule = await import("../lib/cli.js");
+		const storageModule = await import("../lib/storage.js");
+		const refreshQueueModule = await import("../lib/refresh-queue.js");
+
+		mockFlaggedStorage.accounts = [
+			{
+				refreshToken: "flagged-refresh-dead",
+				organizationId: "org-dead",
+				accountId: "workspace-dead",
+				accountIdSource: "manual",
+				accountLabel: "Dead Workspace",
+				email: "dead@example.com",
+				flaggedAt: Date.now() - 500,
+				flaggedReason: "workspace-deactivated",
+				lastError: "deactivated_workspace",
+				addedAt: Date.now() - 500,
+				lastUsed: Date.now() - 500,
+			},
+		];
+
+		vi.mocked(cliModule.promptLoginMode)
+			.mockResolvedValueOnce({ mode: "verify-flagged" })
+			.mockResolvedValueOnce({ mode: "cancel" });
+
+		const mockClient = createMockClient();
+		const { OpenAIOAuthPlugin } = await import("../index.js");
+		const plugin = (await OpenAIOAuthPlugin({
+			client: mockClient,
+		} as never)) as unknown as PluginType;
+		const autoMethod = plugin.auth.methods[0] as unknown as {
+			authorize: (inputs?: Record<string, string>) => Promise<{ instructions: string }>;
+		};
+
+		const authResult = await autoMethod.authorize();
+		expect(authResult.instructions).toBe("Authentication cancelled");
+
+		expect(vi.mocked(refreshQueueModule.queuedRefresh)).not.toHaveBeenCalled();
+		expect(mockStorage.accounts).toHaveLength(0);
+		expect(vi.mocked(storageModule.saveFlaggedAccounts)).toHaveBeenCalledWith({
+			version: 1,
+			accounts: expect.arrayContaining([
+				expect.objectContaining({
+					accountId: "workspace-dead",
+					flaggedReason: "workspace-deactivated",
+				}),
+			]),
+		});
+	});
+
 	it("removes only the token-invalid org-scoped workspace during deep-check cleanup", async () => {
 		const cliModule = await import("../lib/cli.js");
 		const refreshQueueModule = await import("../lib/refresh-queue.js");